FakeBat Malware Distributed in Malvertising Campaign

New information has surfaced regarding a malvertising campaign that exploits Google Ads to direct users seeking popular software to fabricated landing pages and distribute subsequent malicious payloads.

Malwarebytes, the entity that uncovered this activity, characterized it as "unique in its approach to identifying users and delivering time-sensitive payloads."

This attack specifically targets individuals searching for software such as Notepad++ and PDF converters. It presents counterfeit advertisements on the Google search results page, which, upon clicking, filters out automated bots and unintended IP addresses by displaying a deceptive site.

If the visitor is considered of interest to the threat actor, they are rerouted to a fake website promoting the desired software while covertly fingerprinting the system to determine if the request originates from a virtual machine.

Users who fail this check are redirected to the legitimate Notepad++ website, while potential targets are assigned a distinct identifier for both tracking purposes and to ensure each download is unique and time-sensitive.

The final-stage malware takes the form of an HTA payload, establishing a connection with a remote domain, "mybigeye[.]icu," on a custom port, and distributing further malware.

FakeBat Malicious Campaign Picks its Victims

Jerome Segura, the director of threat intelligence, stated that threat actors are effectively employing evasion techniques to circumvent ad verification checks and focus on specific victim types.

This revelation coincides with a similar campaign targeting users searching for the KeePass password manager. It employs malicious ads to direct victims to a domain using Punycode (keepass[.]info vs. ķeepass[.]info), a special encoding that converts Unicode characters to ASCII.

Segura explained that people who click on the ad will be rerouted through a cloaking service designed to exclude testing environments, automated bots, and anyone not identified as a genuine victim. He further explained that the threat actors have set up a temporary domain at keepasstacking[.]site that orchestrates the conditional redirect to the final destination.

Individuals landing on the deceptive site are deceived into downloading a malicious installer, ultimately leading to the execution of FakeBat (also known as EugenLoader), a loader designed to download other malicious code.

The use of Punycode is not entirely new, but its combination with fraudulent Google Ads signals a growing sophistication in malvertising via search engines. This approach leverages Punycode to register domain names similar to legitimate sites, aiming to execute homograph attacks and entice victims into installing malware.