← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Exposing FakeBat loader: distribution methods and adversary infrastructure
WHITE Eugenfest AlienVault 2024-07-02 Modified: 2024-08-01
242
IOCs
HIGH VOLUME
During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social engineering schemes on social networks to trick users into downloading the malware. Analysts monitored the FakeBat C2 infrastructure and identified over 130 domain names associated with high confidence to the FakeBat C2 servers since August 2023. The report provides IoCs, YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures.
drive-by downloadsocial engineeringpaykloaderloadermalvertisingeugenloaderfakebateugenfestpayk_34
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
FakeBat EugenLoader PaykLoader
Indicators of Compromise (5 / 242 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname YARA
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 4f2e138b6891395a408368a9a5998304 2024-07-02
FileHash-MD5 55d614058f3b2f237ad7b9a63e72de0f 2024-07-02
FileHash-MD5 55de04d9156a8503c271d076fd4ff122 2024-07-02
FileHash-MD5 569d206636b75c33240ba4c1739c04d6 2024-07-02
FileHash-MD5 e87d897c4f2f14bf715f432c2a2c1f28 2024-07-02
References (1)
↗ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/#h-iocs