Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.<\/p>\n
All the incidents described in this blog have been reported to Google.<\/p>\n
New redirection chain<\/h2>\n
During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL\/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).<\/p>\n The other type of redirect was using subdomains from expired and sitting .com<\/em> domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.<\/p>\n It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):<\/p>\n Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:<\/p>\n The full infection chain can be summarized in the web traffic image seen below:<\/p>\n There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application. A number of those malicious domains can be found on Russian-based hoster DataLine (78.24.180[.]93).<\/p>\n Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd). <\/p>\n Once extracted, each installer contains more or less the same files with a particular PowerShell script:<\/p>\n When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use.<\/p>\n FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.<\/p>\n It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter<\/a>, remains one the most effective ways to stop malvertising attacks in their tracks.<\/p>\n Hacked sites<\/strong><\/p>\n Decoy sites<\/strong><\/p>\n Download URLs<\/strong><\/p>\n File hashes<\/strong><\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_af32ce.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_378dc2.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_abea74.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_28594e.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_299041.png\")
<\/figure>\nSeveral active brand impersonations<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_cbb61a.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_f75479.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_61bdbf.png\")
<\/figure>\nConclusion<\/h2>\n
Indicators of Compromise<\/h2>\n
cecar[.]com[.]ar estiloplus[.]tur[.]ar<\/pre>\n
obs-software[.]cc bandi-cam[.]cc breavas[.]app open-project[.]org onenote-download[.]com epicgames-store[.]org blcnder[.]org<\/pre>\n
bezynet[.]com\/OBS-Studio-30[.]0[.]2-Full-Installer-x64[.]msix bezynet[.]com\/Bandicam_7[.]21_win64[.]msix church-notes[.]com\/Braavos-Wallet[.]msix church-notes[.]com\/Epic-Games_Setup[.]msix church-notes[.]com\/Onenote_setup[.]msix<\/pre>\n
07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029
0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a
15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8
40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5
f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18<\/pre>\n