Fakebat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or websites. Unlike conventional malware strains, FakeBat utilizes MSIX installers bundled with heavily obfuscated PowerShell code, making it a unique threat. It is distributed via deceptive ads for popular software downloads, often disguised as legitimate Zoom download sites such as z00nn.one-platform-to-connect[.]group, info-zoomapp[.]com, and others. The malware is downloaded from URLs like youstorys[.]com/fonts/Zoom-x64.msix and windows-rars[.]shop/bootstrap/Zoom-x64.msix, among others. The FakeBat loader has been observed in various malvertising campaigns, often paired with the Atomic Stealer malware. It communicates with its command and control server (C2) at 2311foreign[.]xyz. In one campaign, the threat actor tracked victims using a newly identified panel, Hunting panel 1.40. An open directory on the same domain revealed the location of the Windows payload, which is an MSI installer (FakeBat), and the Mac payload (Atomic Stealer). Sophos linked FakeBat with infostealers like Redline, Ursniff, and Rhadamathys in a July 2023 report. In recent weeks, FakeBat malvertising campaigns have used two types of ad URLs and targeted many different brands. Its continued presence poses a significant threat to businesses. Malwarebytes has been tracking this malware family closely, documenting its activities in several blog posts. Despite ongoing efforts to mitigate its effects, FakeBat remains a potent adversary in the cybersecurity landscape due to its sophisticated tactics and heavy utilization of obfuscated code.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Atomic Stealer Amos
1
Atomic Stealer (AMOS) is a software vulnerability specifically designed to target macOS devices. Discovered by Malwarebytes in September 2023, this flaw was propagated through a cybercriminal campaign that exploited malicious ads to spread the malware to Mac users. The malware was also distributed v
Eugenloader
1
EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Windows
Payload
Malvertising
Malware Loader
Zoom
Keepass
Malwarebytes
Malware Payl...
PowerShell
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HijackloaderUnspecified
1
HijackLoader is a new type of malware that has been rapidly gaining popularity within the cybercrime community. As with other types of malicious software, it is designed to exploit and damage computer systems. It can infiltrate these systems through suspicious downloads, emails, or websites, often u
PikabotUnspecified
1
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
IcedIDUnspecified
1
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
BatloaderUnspecified
1
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
RedlineUnspecified
1
RedLine is a malware designed to exploit and damage computer systems by stealing personal information, disrupting operations, or even holding data hostage for ransom. It has been identified as a favorite infostealer among threat actors selling logs through the marketplace 2easy, which also sells Rac
Redline StealerUnspecified
1
RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup
Atomic StealerUnspecified
1
Atomic Stealer is a malicious software (malware) known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, and even hold data hostage for ransom. A new version
AmosUnspecified
1
AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect bot
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Fakebat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Malwarebytes
4 months ago
New Go loader pushes Rhadamanthys stealer | Malwarebytes
CERT-EU
4 months ago
The Surge of FakeBat Malware in Search-Based Malvertising Campaigns
CERT-EU
4 months ago
FakeBat delivered via several active malvertising campaigns | Malwarebytes
CERT-EU
9 months ago
Fake KeePass site uses Google Ads and Punycode to push malware
CERT-EU
9 months ago
Malvertising attack uses Punycode character to spread malware through a fake "KeePass" website
CERT-EU
9 months ago
Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU
9 months ago
Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU
a year ago
New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
CERT-EU
9 months ago
Google-Hosted Malvertising Leads To Fake Keepass Site That Looks Genuine - Slashdot
CERT-EU
7 months ago
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
Malwarebytes
7 months ago
New MetaStealer malvertising campaigns | Malwarebytes
Malwarebytes
7 months ago
PikaBot distributed via malicious search ads | Malwarebytes
Malwarebytes
7 months ago
Malvertisers zoom in on cryptocurrencies and initial access | Malwarebytes
Malwarebytes
9 months ago
Clever malvertising attack uses Punycode to look like KeePass's official website
CERT-EU
9 months ago
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU
5 months ago
One year later, Rhadamanthys is still dropped via malvertising | Malwarebytes
CERT-EU
6 months ago
Cyber Security Week In Review: January 12, 2024
CERT-EU
7 months ago
Atomic Stealer rings in the new year with updated version | Malwarebytes
CERT-EU
6 months ago
Updated Atomic Stealer malware emerges