In a troubling development, cybersecurity experts have identified a sharp increase in malware infections, traced back to deceptive online ads that are spreading a malicious software loader known as FakeBat. These covert campaigns are catching users off guard, leading to widespread security breaches.
Since mid-2023, Mandiant Managed Defense has responded to a surge in malware infections originating from malvertising campaigns.
“These attacks are opportunistic in nature, targeting users seeking popular business software. The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload,” the Mandiant Managed Defense team said in a technical report.
“Our research into NUMOZYLOD reveals an interesting glimpse into the growing and thriving underground economy, where threat actors actively seek out partners to fulfill the supply and demand for specialized tools and services for their objectives. It also highlights how threat actors are exploiting MSIX to covertly bundle and distribute malware alongside legitimate software.”
Mandiant tracks this PowerShell script as NUMOZYLOD and attributes its distribution to UNC4536, a threat actor operating under the moniker “eugenfest.” The actor is part of a Malware-as-a-Service (MaaS) operation, distributing malware such as ICEDID, REDLINESTEALER, CARBANAK, LUMMASTEALER, or ARECHCLIENT2.
“Our research into NUMOZYLOD reveals an interesting glimpse into the growing and thriving underground economy, where threat actors actively seek out partners to fulfill the supply and demand for specialized tools and services for their objectives,” said Mandiant.
“It also highlights how threat actors are exploiting MSIX to covertly bundle and distribute malware alongside legitimate software.”
NUMOZYLOD is also known as FakeBat, EugenLoader and PaykLoader.
Mandiant added that UNC4536’s modus operandi involves leveraging malvertising to distribute trojanized MSIX installers disguised as popular software like Brave, KeePass, Notion, Steam, and Zoom. UNC4536 operates primarily as a malware distributor, with FakeBat serving as a vehicle to deliver next-stage payloads to their business partners, such as FIN7.
“These trojanized MSIX installers are hosted on websites designed to mimic legitimate software hosting sites, luring users into downloading them.”
NUMOZYLOD collects detailed system information, including operating system specifics, domain membership, and installed antivirus software. Some variants also capture the host’s public IPv4 and IPv6 addresses and transmit this data to its command and control (C2) server.
In some variants, NUMOZYLOD creates a shortcut(.lnk) in the StartUp folder as its persistence.
“As a part of a Malware-as-a-Service (MaaS) operation, NUMOZYLOD completes its mission upon the successful deployment of the second-stage malware from its C2 server and hands it over to its buyer for the subsequent mission,” said Mandiant.