www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
Submitted URL: https://www.malwarebytes.com/blog/cybercrime/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus
Effective URL: https://www.malwarebytes.com/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_55238293 Search All
Submission: On November 14 via api from GB — Scanned from GB
Effective URL: https://www.malwarebytes.com/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_55238293 Search All
Submission: On November 14 via api from GB — Scanned from GB
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Sign In
* Personal
< Personal
Products
* Malwarebytes Premium Security >
* Malwarebytes Privacy VPN >
* Malwarebytes Identity Theft Protection >
* Personal Data Remover >
* Malwarebytes Browser Guard >
* Malwarebytes for Teams/small offices >
* AdwCleaner for Windows >
--------------------------------------------------------------------------------
Find the right product
See our plans
Infected already?
Clean your device now
Solutions
* Free antivirus >
* Free virus scan & removal >
* Windows antivirus >
* Mac antivirus >
* Android antivirus >
* iOS security >
* Digital Footprint Scan >
See personal pricing
Manage your subscription
Visit our support page
* Business
< Business
BUNDLES
* ThreatDown Bundles
* Protect your endpoints with powerfully simple and cost-effective bundles
* Education Bundles
* Secure your students and institution against cyberattacks
TECHNOLOGY HIGHLIGHTS
* Managed Detection & Response (MDR)
* Deploy fully-managed threat monitoring, investigation, and remediation
* Endpoint Detection & Response (EDR)
* Prevent more attacks with security that catches what others miss
* Explore our portfolio >
Visualize and optimize your security posture in just minutes.
Learn more about Security Advisor (available in every bundle). >
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing (5+ employees)
Step up your corporate endpoint security. Save up to 45%
* Partners
< Partners
Malwarebytes
* Affiliate partner >
* Computer repair >
ThreatDown: Malwarebytes for Business
* Resellers >
* Managed Service Providers (MSP/ISS) >
* Resources
< Resources
* Security terms glossary >
* Threat Center >
* Cybersecurity News >
* About Malwarebytes >
* Press >
* Careers >
Cybersecurity Resource Center
* Antivirus >
* Malware >
* Ransomware >
* Phishing >
* See all articles >
* Support
< Support
Malwarebytes Personal Support
Malwarebytes and Teams Customers
ThreatDown Business Support
Nebula and Oneview Customers
Community Forums
Free Download
* Sign In
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Cybercrime
HELLO AGAIN, FAKEBAT: POPULAR LOADER RETURNS AFTER MONTHS-LONG HIATUS
Posted: November 8, 2024 by Jérôme Segura
The web browser, and search engines in particular, continue to be a popular
entry point to deliver malware to users. While we noted a decrease in loaders
distributed via malvertising for the past 3 months, today’s example is a
reminder that threat actors can quickly switch back to tried and tested methods.
After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our
radar again via a malicious Google ad for the productivity application Notion.
FakeBat is a unique loader that has been used to drop follow-up payloads such as
Lumma stealer.
In this blog post, we detail how criminals are targeting their victims and what
final malware payload they are delivering post initial infection. The incident
was found and reported to Google on the same day as this publication.
GOOGLE ADS DISTRIBUTION
Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a
popular online scheduling application. In that instance, FakeBat’s command and
control infrastructure ran from utd-gochisu[.]com.
Fast forward to November 8, 2024, and we have an ad appearing at the top of a
Google search for ‘notion’. That sponsored result looks entirely authentic, with
an official logo and website. We already know that criminals are able to
impersonate any brand of their liking by simply using a click tracker — or
tracking template — in order to bypass detection.
According to Google’s Ads Transparency Center , the Notion ad was shown in the
following geographic locations:
Below is the network traffic from the ad URL to the payload. We can see the use
of the tracking template (smart.link), followed by a cloaking domain
(solomonegbe[.]com), before landing on the decoy site (notion[.]ramchhaya.com):
Why does this work and bypasses Google? Likely because if the user is not an
intended victim, the tracking template would redirect them to the legitimate
notion.so website.
FAKEBAT DROPS LUMMAC2 STEALER
After extracting the payload, we recognize the classic first stage FakeBat
PowerShell:
Security researcher and long time FakeBat enthusiast RussianPanda was kind
enough to give us a hand by looking at this installer in closer detail.
After some fingerprinting to avoid sandboxes, we get this second stage
PowerShell:
Of note, the threat actors are still using the same old RastaMouse AMSI bypass
script from April 2024:
The loader is obfuscated with .NET Reactor, where it decrypts the embedded
resource with AES and then injects it into MSBuild.exe via process hollowing:
The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.
CONCLUSION
While malicious ads delivering malware payloads have been a little more rare for
the past several weeks, today’s example shows that threat actors can and will
make a comeback whenever the time is right.
Brand impersonation via Google ads remains problematic, as anyone can leverage
built-in features to appear legitimate and trick users into downloading malware.
We appreciate and would like to thanks RussianPanda‘s quick analysis on the
payload, as well as security researcher Sqiiblydoo for reporting the malicious
certificate used to sign the installer.
--------------------------------------------------------------------------------
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your
devices by downloading Malwarebytes today.
INDICATORS OF COMPROMISE
Malvertising chain
solomonegbe[.]com
notion[.]ramchhaya.com
Malicious Notion URL
furnotilioin[.]site/Notion[.]appx
Malicious Notion installer
34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de
FakeBat C2
ghf-gopp1rip[.]com
1.jar (PaykRunPE)
2de8a18814cd66704edec08ae4b37e466c9986540da94cd61b2ca512d495b91a
LummaC2 (decrypted payload)
de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019
JwefqUQWCg (encrypted resource)
6341d1b4858830ad691344a7b88316c49445754a98e7fd4a39a190c590e8a4db
Malicious URLs
furliumalerer[.]site/1.jar
pastebin[.]pl/view/raw/a58044c5
LummaC2 Stealer C2s:
rottieud[.]sbs
relalingj[.]sbs
repostebhu[.]sbs
thinkyyokej[.]sbs
tamedgeesy[.]sbs
explainvees[.]sbs
brownieyuz[.]sbs
slippyhost[.]cfd
ducksringjk[.]sbs
SHARE THIS ARTICLE
RELATED ARTICLES
News | Threats
ADVERTISERS ARE PUSHING AD AND POP-UP BLOCKERS USING OLD TRICKS
November 14, 2024 - A malvertising campaign using an old school trick was found
pushing to different ad blockers.
CONTINUE READING 0 Comments
News | Scams
SCAMMER ROBS HOMEBUYERS OF LIFE SAVINGS IN $20 MILLION THEFT SPREE
November 14, 2024 - A scammer was caught after they defrauded some 400 people
for almost $20 million in real estate.
CONTINUE READING 0 Comments
News
TEMU MUST RESPECT CONSUMER PROTECTION LAWS, SAYS EU
November 13, 2024 - Temu is under investigation for a variety of misleading
practices.
CONTINUE READING 0 Comments
News | Personal
WARNING: ONLINE SHOPPING THREATS TO AVOID THIS BLACK FRIDAY AND CYBER MONDAY
November 13, 2024 - Where there’s a gift to be bought, there’s also a scammer
out to make money. Here's how to stay safe this shopping season.
CONTINUE READING 0 Comments
News | Privacy
DNA TESTING COMPANY VANISHES ALONG WITH ITS CUSTOMERS’ GENETIC DATA
November 12, 2024 - Atlas Biomed, a DNA testing company that promised clients
insights into their genetic disposition has suddenly disappeared.
CONTINUE READING 36 Comments
ABOUT THE AUTHOR
Jérôme Segura
Sr Director, Research
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
COMPUTER SECURITY
* Rootkit Scanner
* Trojan Scanner
* Free Antivirus
* Free Virus Scan
* Premium protection
MOBILE SECURITY
* Antivirus for Android
* iOS Security and Spam Blocker
PRIVACY PROTECTION
* Privacy VPN (Virtual Private Network)
* Digital Footprint Scan
* Dark Web Monitoring
* Adware Removal
* Ad Blocker
IDENTITY PROTECTION
* Identity Monitoring & Alerts
* Credit Monitoring & Reporting
* Identity Recovery & Resolution
* ID Theft Insurance
* Personal Data Remover
LEARN ABOUT CYBERSECURITY
* Blog
* Social Engineering
* Phishing
* Ransomware
* Malware
* Antivirus
* What is a VPN?
* Doxxing
PARTNER WITH MALWAREBYTES
* Computer Repair
* Affiliates
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
ABOUT MALWAREBYTES
* Careers
* News and Press
* Vulnerability Disclosure
* False Positive Report
* Forums
GET HELP
* Help Center
* Sign in to MyAccount
* Business Endpoint Security Solutions
* Managed Service Provider (MSP) Program
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
* Legal
* Privacy
* Terms of Service
* Accessibility
* Imprint
© 2024 All Rights Reserved
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Decline All Confirm My Choices