FakeBat
FakeBat is a loader malware in MSI format, sold as Malware-as-a-Service and known for its anti-detection features, widely distributed through malvertising and fake browser updates using the drive-by download technique.
Sold as Malware-as-a-Service (MaaS) to a limited number of customers, FakeBat was one of the most widespread loaders using the drive-by download technique during the first semester of 2024. It’s commonly used to distribute loaders such as IcedID, Lumma, Redline, SmokeLoader, SectopRAT…
Sekoia Threat Detection & Research (TDR) team identified several FakeBat distribution campaigns that leveraged malvertising, software impersonation, fake web browser updates, and social engineering schemes on social networks. They assess with high confidence that the variety of FakeBat distribution clusters is due to its diverse customer base mainly leveraging the malware, and operators distributing FakeBat for their Pay-Per-Install services.
In our new blogpost, they present the activities of the FakeBat operators, an analysis of previously undocumented campaigns distributing FakeBat.
Additionally, IoCs, YARA rules and tracking heuristics to monitor the distribution and C2 infrastructures are also available at the end of the report.
