New malware, FakeBat Loader, spreads via drive-by download

Drive-by download is a well-established technique that cybercriminals use to install malware onto a victim’s computer. And in the first half of 2024 there has been a significant number of campaigns in which this mode of attack has been used to install the FakeBat Loader malware. 

Today, I’ll provide an overview of how drive-by download works, and then we’ll get into the details of FakeBat Loader and what it reveals about the current state of the cybercrime economy. And we’ll close out with a discussion of how best to combat this type of attack.

Drive-by download 

Drive-by download consists essentially of tricking users into downloading malicious code of some kind via a website. This can be accomplished in a number of different ways. Some common techniques include:

• SEO poisoning is a technique that involves manipulating search-engine optimization practices to elevate a fake or malicious website so that it appears to be genuine and benign. So, for example, a search for a particular software download might take you to a malicious page designed to impersonate the real thing. When you click to download the software you were looking for, you instead take malware into your system.  

• Compromise and code injection effectively accomplishes the same goal by attacking and compromising a legitimate website. The criminals then inject malicious code into the actual website code, so that upon visiting the site or clicking what appears to be a legitimate link, malware will be automatically downloaded to your system. 

• Malvertising is a very common technique in which criminals place fake ads into legitimate websites, relying on the complexity of the online advertising ecosystem to render detection unlikely. When a user clicks on the fake advertisement, malware is downloaded to their system. One example that nearly everyone has seen is an ad that says “STOP! Your system is infected!” accompanied by a “Scan Now” button.

Drive-by downloads may also employ fake dialogue windows that appear to come from your operating system, or benign-seeming pop-up ads. Clicking to dismiss the dialogue or close the pop-up ad actually triggers a malware download.

FakeBat Loader

As the name suggests, FakeBat Loader is a type of malware whose primary purpose is to surreptitiously download other, secondary malware payloads. 

Now you may be wondering, “why go to the trouble of downloading a loader and then using that to download your actual malware payload, rather than just using the drive-by download technique to download the payload in the first place?”

Well, it turns out that FakeBat is technically classified as a loader-as-a-service (LaaS). That is, a cybercriminal—the Russian-speaking threat actor called Eugenfest—offers FakeBat as a paid subscriptions service to other cyber crooks. It even comes in a variety of formats and configurations depending on the user’s needs. Subscriptions can be purchased on a weekly or monthly basis. 

The benefit of using FakeBat, for run-of-the-mill cybercriminals, is that it is designed very well to obfuscate its own malicious nature, making unlikely to be detected by security strategies that look for malicious or compromised websites, ads, etc. that are engaged in drive-by downloads.

Not only that, but once installed in a target’s system, it is also very good at downloading further payloads without being detected.

All of this tends to highlight the way that the cybercrime ecosystem has evolved into a very mature economy, with highly specialized participants exchanging valuable services. And while the details of this underground economy may be very complex, the upshot is that even someone with very limited programming skills can launch very sophisticated cyber-attacks by essentially hiring out the difficult bits—such as creating a loader that can go undetected while downloading malware such as ransomware to a target system.

Effective defense

Phishing and social engineering are still the main ways that threat actors gain initial access to a targeted system. Drive-by-downloads fall into this category, and one of the most effective ways to reduce your organization’s vulnerability is with ongoing, well-designed security-awareness training programs. 

Online training programs such as Barracuda Security Awareness Training, included as part of Barracuda Email Protection, can be extremely useful and are proven to reduce vulnerability. But these solutions don’t just work automatically on their own. It’s up to you to build a culture of security awareness and to actively launch simulation and training campaigns on an ongoing, continuous basis in order to optimize their effectiveness.

On the technical side, web security solutions are increasingly able to detect and block malicious sites or legitimate sites that have been compromised. The addition of AI-based pattern tracking and anomaly detection has made products like Barracuda Web Security—part of Barracuda Network Protection—increasingly able to prevent users from being exposed to fake ads and so on, and from initiating drive-by download attacks.