norm. Threat Bulletin: 10th July 2024

Threat bulletin header

FakeBat Alert: Uncovering the Latest Drive-By Download Threats in 2024

FakeBat, a loader-as-a-service (LaaS) malware, has become one of the most prevalent loader malware families in 2024, according to Sekoia. Distributed via drive-by download techniques, FakeBat primarily aims to download and execute secondary payloads such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.

Drive-by attacks are a type of cyber-attack where malware is delivered to a user’s device simply by visiting a compromised or malicious website. These attacks do not require the user to take any specific action like downloading or opening a file; the malware is automatically downloaded and executed. Drive-by attacks use methods like search engine optimisation (SEO) poisoning, malvertising, and injecting malicious code into compromised websites to trick users into downloading fake software installers or browser updates.

The rise of malware loaders is closely linked to the increasing use of landing pages that impersonate legitimate software websites, presenting them as authentic installers. This trend underscores the significant role of phishing and social engineering in initial access by threat actors.

FakeBat, also known as EugenLoader and PaykLoader, has been offered on underground forums under a LaaS subscription model by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since December 2022. This loader is designed to bypass security mechanisms and provides customers with options to generate trojanised legitimate software builds and monitor installations over time via an administration panel.

Earlier versions of FakeBat used the MSI format for malware builds, but recent iterations since September 2023 have switched to the MSIX format and added a digital signature with a valid certificate to evade Microsoft SmartScreen protections. The pricing for the malware ranges from $1,000 per week for the MSI format to $5,000 per month for a combined MSI and signature package. Which in comparison to possible profit margins seems disproportionate and enticing for cyber criminals

Sekoia identified three primary methods of FakeBat dissemination: impersonating popular software through malicious Google ads, fake web browser updates on compromised sites, and social engineering schemes on social networks. Although not all targeted software is currently known, there is a summarised list available of potential applications to look out for as detailed in Figure 1 below.


Software list of suspected fakebat malvertising campaigns

Figure 1 – Software list of Suspected FakeBat Malvertising Campaigns


These activities are linked to groups such as FIN7, Nitrogen, and BATLOADER. FakeBat command-and-control servers likely filter traffic based on characteristics like User-Agent value, IP address, and location to target specific victims.

In related developments, the AhnLab Security Intelligence Center (ASEC) reported a campaign distributing another loader, DBatLoader (also known as ModiLoader and NatsoLoader) through invoice-themed phishing emails. Additionally, infection chains propagating Hijack Loader (also known as DOILoader and IDAT Loader) via pirated movie download sites were discovered, ultimately delivering the Lumma information stealer. These campaigns often use complex infection chains and heavy obfuscation techniques.

Phishing campaigns have also been observed delivering Remcos RAT, with a new Eastern European threat actor dubbed Unfurling Hemlock using loaders and emails to distribute various malware strains, primarily stealers like RedLine, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader. This malware is often sent via email or dropped from external sites contacted by other loaders.

This feels like a lot of different angles to approach, and it is likely difficult to tackle for any business without dedicated security departments. Luckily, you could leave it to the professionals of the industry, here are at Norm our Managed Threat Detection and Response package service provides near real-time security monitoring for your network, services and devices. Using telemetry feeds, threat intelligence feeds, use cases and play books, the Norm Security Operations Centre (SOC) identifies and isolates threats in near real-time, giving you peace of mind 24 hours a day, every day.



What Is A Drive by Download Attack? (
Exposing FakeBat loader: distribution methods and adversary infrastructure (
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (
FakeBat Loader Malware Spreads Widely Through Drive-by Download Attacks (
FakeBat – ThreatDown by Malwarebytes


Malicious QR Reader App on Google Play Spreads Anatsa Banking Malware – How to Protect Yourself

Security researchers have uncovered a malicious QR code reader app on Google Play that infects devices with the notorious Anatsa banking malware. This discovery underscores the ever-present threat of malicious apps lurking even in official app stores, emphasising the need for heightened user vigilance.

The Threat and Its Impact

The seemingly legitimate QR reader app secretly distributed Anatsa, a sophisticated malware designed to steal sensitive banking information. According to Zscaler ThreatLabz, the app garnered thousands of downloads, potentially jeopardising a significant number of users’ financial data.

Anatsa boasts a dangerous arsenal of tools: keylogging to capture keystrokes, overlay attacks that mimic legitimate login screens to steal credentials, and even remote access capabilities. These features make it a formidable threat, capable of bypassing traditional security and remaining undetected for extended periods.

How Anatsa Works

Once installed, the malicious app slyly requests permissions that allow it to operate in the background. It then becomes a silent thief, monitoring your activity, capturing keystrokes you enter for usernames and passwords, and even overlaying fake login screens on top of real banking apps to steal your login credentials. In the most severe cases, the malware can gain remote control of your device, enabling attackers to steal your money through unauthorised transactions.

Staying Safe in the Digital Age

In response to this incident, Google has removed the malicious app from the Play Store and is taking steps to strengthen its app vetting process to prevent similar occurrences. However, this incident serves as a stark reminder that app stores are not foolproof. Here’s how you can stay safe:

  • Download with Caution: Scrutinise apps before downloading, even from official stores. Check app reviews, developer backgrounds, and requested permissions. Does a QR reader app need access to your contacts or messages? If something seems off, trust your gut and avoid it.
  • Security Software is Your Ally: Consider installing a reputable security app that can detect and block malware before it infects your device.
  • Be Vigilant: Always be cautious when using QR codes. Don’t scan codes from untrusted sources, and double-check URLs before visiting them.

By following these tips and staying vigilant, you can significantly reduce the risk of falling victim to malicious apps and banking malware like Anatsa. Remember, your information security is in your hands.



Malicious QR Reader App in Google Play Delivers Anatsa Banking Malware | (Cybersecurity News)
Malicious QR Reader App in Google Play Delivers Anatsa Banking Malware | (Cyware Alerts – Hacker News)


Ethereum Mailing List Compromise Impacts 35,000 Users with a Crypto Draining Attack

A threat actor compromised Ethereum’s mailing list provider and sent a phishing email to over 35,000 addresses, directing recipients to a malicious site equipped with a crypto drainer. Ethereum disclosed the incident in a blog post this week, confirming no material impact on users.

The attack occurred on the night of June 23, with an email sent from the address ‘’ to 35,794 addresses. The threat actor used a combination of their own email list and an additional 3,759 addresses exported from Ethereum’s blog mailing list. Notably, only 81 of the exported addresses were previously unknown to the attacker.

The phishing email enticed recipients with an announcement of a collaboration with Lido DAO, promising a 6.8% annual percentage yield (APY) on staked Ethereum. Clicking the embedded ‘Begin staking’ button redirected users to a fake but convincingly crafted website mimicking the promotion. If users connected their wallets and signed the requested transaction, the crypto drainer would empty their wallets, transferring all funds to the attacker.

Ethereum’s internal security team promptly launched an investigation to identify the attacker, understand the attack’s objectives, determine the timeline, and identify the affected parties. The attacker was swiftly blocked from sending more emails, and Ethereum used Twitter to warn the community about the malicious emails, advising against clicking the link.

The malicious link was submitted to various blocklists, resulting in its blockage by most Web3 wallet providers and Cloudflare. On-chain transaction analysis confirmed that none of the email recipients fell for the phishing attempt during the campaign.

Ethereum has responded to the incident by implementing additional security measures and initiating the migration of some email services to other providers. These steps are aimed at preventing similar incidents in the future.

Meanwhile, Norm offers courses tailored to educate and protect users and companies from phishing emails and other cyber threats in its Cyber Safety and Phishing module, equipping individuals with practical knowledge and effective strategies to recognise and avoid phishing attempts.



Ethereum mailing list breach exposes 35,000 to crypto draining attack (
Ethereum Foundation email hacked to promote Lido staking phishing scam (



Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: