Malware-as-a-service operation UNC4536 has exploited malvertising aimed at widely used software to deliver trojanized MSIX installers with the FakeBat malware loader, also known as PaykLoader, EugenLoader, and NUMOZYLOD, The Hacker News reports.
Typosquatted domains mimicking legitimate sites have been leveraged to host the MSIX installers, which not only spoof Zoom, KeePass, Steam, and other popular software but also facilitate script execution prior to app deployment, an analysis from the Mandiant Managed Defense team showed. Impacted systems would then have their operating system, domain, and antivirus information, as well as public IPv4 and IPv6 addresses exfiltrated by FakeBat before it proceeds with the delivery of payloads, including SectopRAT, Carbanak, RedLine Stealer, IcedID, and Lumma Stealer, reported Mandiant researchers. Such findings follow an earlier Mandiant study detailing data theft and cryptojacking attacks by financially motivated threat operation UNC4990 against Italian organizations involving the EMPTYSPACE malware loader, also known as Vetta Loader and BrokerLoader.