AdwareHow-To-GuidesIT/Cybersecurity Best PracticesMalware

FakeBat is Promoted by a Malicious Malvertising Campaign Exploiting Google Promotions

riviTMedia Research
riviTMedia Research
Malicious Malvertising Campaign Exploiting Google Promotions

A new malvertising campaign has emerged, leveraging Google Promotions to steer users seeking popular software towards deceptive landing pages and subsequently distribute malicious payloads. This campaign, as reported by Malwarebytes, is distinctive in its approach, particularly in how it identifies users and delivers time-sensitive threats.

Contents
What is Malvertising?What does the Malicious Malvertising Campaign Distributing the FakeBat Malware Do?Exploiting Google PromotionsIdentification and FingerprintingDelivery of MalwareSelecting Specific TargetsPunycode for Deceptive DomainsAvoiding Testing ConditionsMalware ExecutionRemoving the ThreatConclusion

What is Malvertising?

Malvertising, a portmanteau of “malicious” and “advertising,” is a deceptive and harmful online advertising technique used by cybercriminals to spread malware and exploit unsuspecting users. It involves the insertion of malicious code or malware into legitimate online advertisements, which are then displayed on various websites, including reputable ones. The goal of malvertising is to infect users’ devices or direct them to malicious websites, often without their knowledge or consent.

What does the Malicious Malvertising Campaign Distributing the FakeBat Malware Do?

Exploiting Google Promotions

This sophisticated attack is tailored to individuals searching for software such as Notepad++ and PDF converters. It introduces deceptive advertisements on Google search results pages. Once clicked, it filters out automated bots and random IP addresses, skillfully redirecting visitors to a fraudulent website.

Identification and Fingerprinting

If the visitor is deemed a potential threat, they are redirected to a counterfeit site promoting the desired software while secretly fingerprinting the system to determine whether the request originates from a virtual machine. Users who fail this check are directed to the legitimate Notepad++ site, while potential targets receive a unique identifier for tracking and ensuring that each download is both unique and time-sensitive.

Delivery of Malware

The final stage of this malware campaign delivers a HTA (HTML Application) payload, establishing a connection to a remote domain, “mybigeye[.]icu,” on a custom port, and disseminating further malware.

Selecting Specific Targets

Jerome Segura, Director of Threat Intelligence, highlighted the use of evasion techniques by threat actors to bypass ad verification checks and focus on specific victim types. This revelation aligns with a similar campaign targeting users searching for the KeePass password manager.

Punycode for Deceptive Domains

This campaign uses malicious ads to direct victims to a domain employing Punycode, a special encoding that converts Unicode characters into ASCII (e.g., keepass[.]info versus ķeepass[.]info). The goal is to execute homograph attacks and entice victims into downloading malware.

Avoiding Testing Conditions

Victims who click on the ad are redirected through a cloaking service designed to exclude test environments, automated bots, and those not identified as genuine victims. Threat actors have established a temporary domain at keepasstacking[.]site, which serves as the final destination.

Malware Execution

Users landing on the deceptive site are deceived into downloading a malicious installer, ultimately leading to the activation of FakeBat (also known as EugenLoader), a loader designed to download additional malicious code.

Removing the Threat

To remove this threat, follow these steps:

  1. Disconnect from the Internet: Cut off your internet connection to prevent further communication with malicious servers.
  2. Restart in Safe Mode: Restart your computer in Safe Mode to minimize the impact of the malicious software.
  3. Uninstall Suspicious Programs: In the Control Panel, uninstall any suspicious programs related to the threat.
  4. Delete Malicious Files: Manually delete any remaining malicious files and directories from your system.
  5. Remove Registry Entries: Access the Windows Registry Editor and remove entries associated with the threat.
  6. Run Anti-Malware Scans: Use reputable anti-malware software to perform a comprehensive system scan and remove any residual threats.

Conclusion

The malvertising campaign exploiting Google Promotions and employing Punycode for deceptive domains represents a growing sophistication in cyber threats. Staying informed, using reliable security software, being cautious online, keeping software updated, and regularly backing up your data are essential practices to protect your system from such threats in the future.

You Might Also Like

OptimizationSquare: Understanding the Adware Peril

Understanding Mayorhotdogs.uno Pop-up Ads

Understanding Mfxtradevip.com: A Deep Dive into Browser Security Threats

Messenger-rocks.com Pop-up Ads Removal – Safeguarding Against Deceptive Tactics

Searchmylinks.com Pop-up Removal: Eliminating Tech-Support Scam

TAGGED: , , ,
Share This Article
Previous Article Live Security Platinum and Its Clones: Identifying, Removing, and Protecting Your System
Next Article strop/Djvu Ransomware ZPWW Ransomware: Dealing with the new STOP/Djvu Ransomware Variant
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

Ransomware
CACTUS Ransomware Exploits Qlik Sense Vulnerabilities
Ransomware
Colour Cure: Understanding and Preventing Browser Hijackers
Browser Hijackers
malicious website
The Risks of ourhugenewz[.]com and Similar Rogue Websites
Browser Hijackers
ransomware, stop/djvu
Elpy Ransomware: Unraveling the Threat and Prevention Measures
Ransomware