{
  "name": "Exposing FakeBat loader: distribution methods and adversary infrastructure",
  "slug": "exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure",
  "description": "During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social engineering schemes on social networks to trick users into downloading the malware. Analysts monitored the FakeBat C2 infrastructure and identified over 130 domain names associated with high confidence to the FakeBat C2 servers since August 2023. The report provides IoCs, YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures.",
  "published": "2024-07-02T06:33:34+00:00",
  "created_at": "2024-07-02T06:33:34+00:00",
  "modified_at": "2024-07-02T07:28:06+00:00",
  "created_at_opencti": "2024-07-02T06:33:34+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-07-02",
    "drive-by-download",
    "eugenfest",
    "eugenloader",
    "fakebat",
    "loader",
    "malvertising",
    "payk_34",
    "paykloader",
    "social engineering"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "194.36.191.196"
      },
      {
        "id": "",
        "name": "62.204.41.98"
      },
      {
        "id": "",
        "name": "185.198.59.26"
      },
      {
        "id": "",
        "name": "www.womansvitamin.com"
      },
      {
        "id": "",
        "name": "https://utr-jopass.com/buy/"
      },
      {
        "id": "",
        "name": "https://monkeybeta.com/build/AnyDesk-x86.msix"
      },
      {
        "id": "",
        "name": "https://photoshop-adobe.shop/download/dwnl.php"
      },
      {
        "id": "",
        "name": "https://getmess.download/Getmess.msix"
      },
      {
        "id": "",
        "name": "https://brow-ser-update.top/download/dwnl.php"
      },
      {
        "id": "",
        "name": "https://app.getmess.io/download/dwnl.php"
      },
      {
        "id": "",
        "name": "https://brow-ser-update.top/GoogleChrome-x86.msix"
      },
      {
        "id": "",
        "name": "https://app.getmess.io/"
      },
      {
        "id": "",
        "name": "https://3010cars.top/?status=start&av=Names&domain=$domain&os=$urlEncodedOsCaption"
      },
      {
        "id": "",
        "name": "https://amydlesk.com/download/dwnl.php"
      },
      {
        "id": "",
        "name": "http://utd-corts.com/buy/"
      },
      {
        "id": "",
        "name": "http://clk-info.site/?status=install"
      },
      {
        "id": "",
        "name": "http://clk-info.site/?status=start&av=Windows%20Defender"
      },
      {
        "id": "",
        "name": "notion.officespacesearchdc.com"
      },
      {
        "id": "",
        "name": "notion.kyngsacademy.com"
      },
      {
        "id": "",
        "name": "notion.ilusofficial.com"
      },
      {
        "id": "",
        "name": "notion.findreaders.com"
      },
      {
        "id": "",
        "name": "utr-provit.com"
      },
      {
        "id": "",
        "name": "utr-krubz.com"
      },
      {
        "id": "",
        "name": "utr-jopass.com"
      },
      {
        "id": "",
        "name": "utr-gavlup.com"
      },
      {
        "id": "",
        "name": "utm-msh.com"
      },
      {
        "id": "",
        "name": "utm-fukap.com"
      },
      {
        "id": "",
        "name": "utm-drmka.com"
      },
      {
        "id": "",
        "name": "utm-advrez.com"
      },
      {
        "id": "",
        "name": "utm-adsgoogle.com"
      },
      {
        "id": "",
        "name": "utm-adschuk.com"
      },
      {
        "id": "",
        "name": "utd-horipsy.com"
      },
      {
        "id": "",
        "name": "utm-adrooz.com"
      },
      {
        "id": "",
        "name": "utd-gochisu.com"
      },
      {
        "id": "",
        "name": "utd-corts.com"
      },
      {
        "id": "",
        "name": "utd-forts.com"
      },
      {
        "id": "",
        "name": "usm-pontic.com"
      },
      {
        "id": "",
        "name": "urd-apdaps.com"
      },
      {
        "id": "",
        "name": "updaterdrivers.com"
      },
      {
        "id": "",
        "name": "udr-offdips.com"
      },
      {
        "id": "",
        "name": "trustdwnl.ru"
      },
      {
        "id": "",
        "name": "trust-flare.ru"
      },
      {
        "id": "",
        "name": "trust-flare.site"
      },
      {
        "id": "",
        "name": "topttr.com"
      },
      {
        "id": "",
        "name": "test-pn.site"
      },
      {
        "id": "",
        "name": "test-pn.ru"
      },
      {
        "id": "",
        "name": "rabby.pro"
      },
      {
        "id": "",
        "name": "prkl-ads.site"
      },
      {
        "id": "",
        "name": "prkl-ads.ru"
      },
      {
        "id": "",
        "name": "photoshop-adobe.shop"
      },
      {
        "id": "",
        "name": "notlon.top"
      },
      {
        "id": "",
        "name": "notlilon.co"
      },
      {
        "id": "",
        "name": "notliion.com"
      },
      {
        "id": "",
        "name": "notiron.org"
      },
      {
        "id": "",
        "name": "notiorn.org"
      },
      {
        "id": "",
        "name": "notion.li"
      },
      {
        "id": "",
        "name": "notion.help"
      },
      {
        "id": "",
        "name": "notion-loads.com"
      },
      {
        "id": "",
        "name": "notilon.co"
      },
      {
        "id": "",
        "name": "notilion.co"
      },
      {
        "id": "",
        "name": "noltlion.com"
      },
      {
        "id": "",
        "name": "newtorpan.site"
      },
      {
        "id": "",
        "name": "newtorpan.ru"
      },
      {
        "id": "",
        "name": "new-prok.site"
      },
      {
        "id": "",
        "name": "new-prok.ru"
      },
      {
        "id": "",
        "name": "monkeybeta.com"
      },
      {
        "id": "",
        "name": "infocdn-111.xyz"
      },
      {
        "id": "",
        "name": "infocdn-111.site"
      },
      {
        "id": "",
        "name": "infocdn-111.online"
      },
      {
        "id": "",
        "name": "gotrustfear.site"
      },
      {
        "id": "",
        "name": "gotrustfear.ru"
      },
      {
        "id": "",
        "name": "getmess.io"
      },
      {
        "id": "",
        "name": "ganalytics-api.com"
      },
      {
        "id": "",
        "name": "fresh-prok.site"
      },
      {
        "id": "",
        "name": "fresh-prok.ru"
      },
      {
        "id": "",
        "name": "findreaders.com"
      },
      {
        "id": "",
        "name": "dns-inform.top"
      },
      {
        "id": "",
        "name": "cornbascet.site"
      },
      {
        "id": "",
        "name": "cornbascet.ru"
      },
      {
        "id": "",
        "name": "clk-info.site"
      },
      {
        "id": "",
        "name": "clk-info.ru"
      },
      {
        "id": "",
        "name": "clk-brood.top"
      },
      {
        "id": "",
        "name": "clk-brood.online"
      },
      {
        "id": "",
        "name": "clk-brom.site"
      },
      {
        "id": "",
        "name": "clk-brom.ru"
      },
      {
        "id": "",
        "name": "cdn-new-dwnl.ru"
      },
      {
        "id": "",
        "name": "cdn-dwnld.site"
      },
      {
        "id": "",
        "name": "cdn-dwnld.ru"
      },
      {
        "id": "",
        "name": "cdn-ads.site"
      },
      {
        "id": "",
        "name": "cdn-ads.ru"
      },
      {
        "id": "",
        "name": "brow-ser-update.top"
      },
      {
        "id": "",
        "name": "bienvenido.com"
      },
      {
        "id": "",
        "name": "anydesk.best"
      },
      {
        "id": "",
        "name": "amydlesk.com"
      },
      {
        "id": "",
        "name": "aipanelnew.site"
      },
      {
        "id": "",
        "name": "aipanelnew.ru"
      },
      {
        "id": "",
        "name": "ads-work.xyz"
      },
      {
        "id": "",
        "name": "advancedipscannerapp.com"
      },
      {
        "id": "",
        "name": "ads-work.top"
      },
      {
        "id": "",
        "name": "ads-work.site"
      },
      {
        "id": "",
        "name": "ads-tooth.xyz"
      },
      {
        "id": "",
        "name": "ads-strong.xyz"
      },
      {
        "id": "",
        "name": "ads-strong.top"
      },
      {
        "id": "",
        "name": "ads-strong.site"
      },
      {
        "id": "",
        "name": "ads-star.xyz"
      },
      {
        "id": "",
        "name": "ads-star.top"
      },
      {
        "id": "",
        "name": "ads-star.site"
      },
      {
        "id": "",
        "name": "ads-star.online"
      },
      {
        "id": "",
        "name": "ads-moon.xyz"
      },
      {
        "id": "",
        "name": "ads-moon.top"
      },
      {
        "id": "",
        "name": "ads-info.ru"
      },
      {
        "id": "",
        "name": "ads-info.site"
      },
      {
        "id": "",
        "name": "ads-hoop.xyz"
      },
      {
        "id": "",
        "name": "ads-hoop.top"
      },
      {
        "id": "",
        "name": "ads-forget.top"
      },
      {
        "id": "",
        "name": "ads-eagle.xyz"
      },
      {
        "id": "",
        "name": "ads-eagle.top"
      },
      {
        "id": "",
        "name": "ads-creep.xyz"
      },
      {
        "id": "",
        "name": "ads-creep.top"
      },
      {
        "id": "",
        "name": "ads-change.xyz"
      },
      {
        "id": "",
        "name": "ads-change.top"
      },
      {
        "id": "",
        "name": "ads-change.site"
      },
      {
        "id": "",
        "name": "ads-change.online"
      },
      {
        "id": "",
        "name": "ads-analyze.xyz"
      },
      {
        "id": "",
        "name": "ads-analyze.site"
      },
      {
        "id": "",
        "name": "ads-analyze.online"
      },
      {
        "id": "",
        "name": "999-ads-info.top"
      },
      {
        "id": "",
        "name": "98762341tdgi.xyz"
      },
      {
        "id": "",
        "name": "98762341tdgi.top"
      },
      {
        "id": "",
        "name": "98762341tdgi.site"
      },
      {
        "id": "",
        "name": "98762341tdgi.online"
      },
      {
        "id": "",
        "name": "875jhrfks.top"
      },
      {
        "id": "",
        "name": "756-ads-info.xyz"
      },
      {
        "id": "",
        "name": "756-ads-info.top"
      },
      {
        "id": "",
        "name": "756-ads-info.site"
      },
      {
        "id": "",
        "name": "465jsdlkd.top"
      },
      {
        "id": "",
        "name": "364klhjsfsl.top"
      },
      {
        "id": "",
        "name": "343-ads-info.top"
      },
      {
        "id": "",
        "name": "3010offers.xyz"
      },
      {
        "id": "",
        "name": "3010offers.top"
      },
      {
        "id": "",
        "name": "3010offers.site"
      },
      {
        "id": "",
        "name": "3010offers.online"
      },
      {
        "id": "",
        "name": "3010cars.xyz"
      },
      {
        "id": "",
        "name": "3010cars.top"
      },
      {
        "id": "",
        "name": "3010cars.site"
      },
      {
        "id": "",
        "name": "3010cars.online"
      },
      {
        "id": "",
        "name": "2610kjhsda.xyz"
      },
      {
        "id": "",
        "name": "2610kjhsda.top"
      },
      {
        "id": "",
        "name": "2610kjhsda.site"
      },
      {
        "id": "",
        "name": "2610kjhsda.online"
      },
      {
        "id": "",
        "name": "2610asdkj.xyz"
      },
      {
        "id": "",
        "name": "2610asdkj.top"
      },
      {
        "id": "",
        "name": "2610asdkj.site"
      },
      {
        "id": "",
        "name": "2610asdkj.online"
      },
      {
        "id": "",
        "name": "2311forget.xyz"
      },
      {
        "id": "",
        "name": "2311forget.online"
      },
      {
        "id": "",
        "name": "2311forget.site"
      },
      {
        "id": "",
        "name": "1212stars.top"
      },
      {
        "id": "",
        "name": "1212stars.xyz"
      },
      {
        "id": "",
        "name": "1212stars.site"
      },
      {
        "id": "",
        "name": "1212stars.online"
      },
      {
        "id": "",
        "name": "11234jkhfkujhs.xyz"
      },
      {
        "id": "",
        "name": "11234jkhfkujhs.online"
      },
      {
        "id": "",
        "name": "0909kses.top"
      },
      {
        "id": "",
        "name": "0212top.top"
      },
      {
        "id": "",
        "name": "0212top.xyz"
      },
      {
        "id": "",
        "name": "0212top.site"
      },
      {
        "id": "",
        "name": "0212top.online"
      },
      {
        "id": "",
        "name": "puttyy.ca"
      },
      {
        "id": "",
        "name": "pputy.com"
      },
      {
        "id": "",
        "name": "ads-pill.xyz"
      },
      {
        "id": "",
        "name": "ads-pill.top"
      },
      {
        "id": "",
        "name": "ads-analyze.top"
      },
      {
        "id": "",
        "name": "ads-strong.online"
      },
      {
        "id": "",
        "name": "2311foreign.xyz"
      },
      {
        "id": "",
        "name": "11234jkhfkujhs.top"
      },
      {
        "id": "",
        "name": "11234jkhfkujhs.site"
      },
      {
        "id": "",
        "name": "loader_fakebat_powershell_fingerprint_may24"
      },
      {
        "id": "",
        "name": "loader_fakebat_initial_powershell_may24"
      },
      {
        "id": "",
        "name": "getmess.download"
      },
      {
        "id": "",
        "name": "f3ebb23bdcc7ac016d958c1a057152636bc2372b3a059bf49675882f64105068"
      },
      {
        "id": "",
        "name": "f8ab48848ab915d1b23e3ee51dd20a2699bd4f277bde218a727d7a55a572d174"
      },
      {
        "id": "",
        "name": "f312e59be5ddbf857d92de506d55ae267800b0cbc2b82665ce63c889a7ae9414"
      },
      {
        "id": "",
        "name": "f0f77c85c7da4391e34d106c4b5f671eb606ba695dc11401a6ee8ae53e337cbe"
      },
      {
        "id": "",
        "name": "f138728ce2cc87201a51c9250fa87cbab20354012a8f566e1b2cd776cc1a66af"
      },
      {
        "id": "",
        "name": "f1d72a27147c42a4f4baf3e10a6f03988c70546bb174a1025553a8319717ba95"
      },
      {
        "id": "",
        "name": "f0e0aea32962a8a4aecd0c4b0329dc7e901fa5b103f0b03563cf9705d751bbe1"
      },
      {
        "id": "",
        "name": "e3f18df1d8f5e27a41221246cc63236487c56354ba0c926a3fdaea70db901adb"
      },
      {
        "id": "",
        "name": "e5b94c001fc3c1c1aa35c71a3d1e9909124339e0ade09f897b918fe0729c12e1"
      },
      {
        "id": "",
        "name": "d1da457b0891b68df16ce86e2a48a799b9528c1631bccc379623551f873c0eed"
      },
      {
        "id": "",
        "name": "d069437eda843bd7a675a1cca7fd4922803833f39265d951fa01e7ad8e662c60"
      },
      {
        "id": "",
        "name": "c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4"
      },
      {
        "id": "",
        "name": "cea1c4f2229e7aa0167c07e22a3809f42ec931332da7cc28f7d14b9e702af66b"
      },
      {
        "id": "",
        "name": "b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f"
      },
      {
        "id": "",
        "name": "ae641dda420f2cf63ac29804f7009ba1c248c702679fbccef35e4d9319d77d2d"
      },
      {
        "id": "",
        "name": "b7aa4697e16bbafe0df02ab3b8d0be8ec6e4abf6e6ca7d787d3d3684ca8f4b63"
      },
      {
        "id": "",
        "name": "9e800a05e65efe923a35815157129652980f03cbcf95cf0d64676f6da73471de"
      },
      {
        "id": "",
        "name": "aa998fde06a6a6ab37593c054333e192ce4706a14d210d8fc6c0de3fd2d74ce2"
      },
      {
        "id": "",
        "name": "9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960"
      },
      {
        "id": "",
        "name": "96bd6abb1c8ec2ede22b915a11b97c0cd44c1f5ed1cda8bee0acfee290f8f580"
      }
    ],
    "malware": [
      {
        "id": "32c678fd-ef77-447c-a9da-3b85c64de06c",
        "name": "PaykLoader",
        "slug": "paykloader"
      },
      {
        "id": "3a2c8d4d-a842-4e79-977a-695295907db2",
        "name": "EugenLoader",
        "slug": "eugenloader"
      },
      {
        "id": "legacy:malware:d92d9f82134e2fd1",
        "name": "FakeBat",
        "slug": "fakebat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "1697279b-27d6-47b8-b94c-6ba298287dc0",
        "name": "Eugenfest",
        "slug": "eugenfest"
      }
    ],
    "attack_patterns": [
      {
        "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4",
        "name": "T1568"
      },
      {
        "id": "146a6f45-ec55-4d0e-a38c-1b614c3f72d2",
        "name": "T1193"
      },
      {
        "id": "4d36ebe8-4925-419a-bdd5-73f6427a975d",
        "name": "T1064"
      },
      {
        "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6",
        "name": "T1189"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "804630c7-dda3-49df-9ac4-70bd1ad83e06",
        "name": "T1192"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a",
        "name": "T1195"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      }
    ]
  },
  "external_refs": [
    "https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/#h-iocs",
    "https://otx.alienvault.com/pulse/6683bb5ee925bb5a240fa4ea"
  ]
}