Fakebat Malware - Malware Analysis Lab

8 minute read

Technical Analysis of Fakebat Malware

Overview (AI generated from video):


Fake browser updates, disguised as MSIX files, are being used to deploy malware and remain undetected. These malicious files can be downloaded from fake websites or through malvertising campaigns.


0:12 🕒 Fake browser updates, known as fake browser updates, try to convince users to download an installer or script that runs malware on their systems.
0:47 🕒 Malicious MSIX files are being used to deploy malware and evade detection.
1:37 🕒 MSIX files are essentially archives that can be extracted, and they often bundle with legitimate software like Chrome.
3:17 🕒 Malicious MSIX files can contain PowerShell scripts that run before or after the executable, allowing threat actors to execute malicious actions.
4:22 🕒 Malicious MSIX files can be used in malvertising campaigns, promoting fake versions of legitimate software companies.
7:06 🕒 Malicious MSIX files have low detection rates, making them a significant threat.
8:46 🕒 Launching a Windows application package spawns an app installer process and a runtime broker process, which can be used by malicious MSIX files.

Key Insights

💣 Fake browser updates are a deceptive tactic used by threat actors to trick users into downloading and running malware on their systems. This video highlights the use of malicious MSIX files in this type of attack.
🔒 MSIX files, although not traditional executables, can be interpreted as such by Windows. This allows threat actors to disguise their malicious payloads within seemingly legitimate software bundles.
🌐 Malvertising campaigns are another method used to distribute malicious MSIX files. By promoting fake versions of well-known software companies, users can unknowingly download and install malware on their systems.
📈 The low detection rates of malicious MSIX files and their associated scripts make them a potent and dangerous threat. Users must remain vigilant and cautious when downloading and installing software updates.
🔄 Launching a malicious MSIX file initiates an app installer process and a runtime broker process. These processes are leveraged by threat actors to execute their malicious actions while remaining undetected.
🚨 The use of PowerShell scripts within malicious MSIX files allows threat actors to perform various malicious activities, such as profiling potential victims, downloading encrypted payloads, and running code within legitimate processes like VLC.
🛡️ Detecting and mitigating the risks posed by malicious MSIX files require advanced security measures, including robust threat intelligence, behavior-based detection, and regular software updates to patch vulnerabilities.

Transcript (AI generated from video):

00:00:00	have you ever seen something like this before well this is something known as a fake browser update it tries to convince you that you need to update your browser and that it's out of date but that's not the case at all generally speaking it will get you to download some sort of installer or script and hope that you run it so that then it can run malware on your system now I will give a shout out to elastic security Labs 6 months ago they reported on the use of malicious msix executables that are
00:00:29	being used to deploy malware on systems and remain undetected I'm going to show you exactly how that works and what an msix file is because it's not exactly an executable but Windows knows how to interpret it the result of that is something that looks like an executable I have downloaded a sample from maare Bazaar and thank you rmce EO i n for uploading this file this has come from ASP Min nb.com this is a fake Chrome update what are the chances that this 6 months later say domain is being used to
00:01:02	serve up fake browser updates well that's actually where this screenshot came from that we saw before this was actually only scanned 7 days ago if you follow this you are going to be served with a malicious msix file or something of the like so let's take a look at this sample from 6 months ago and actually just see what this is doing to get a better idea of how an msix file works so we have our sample that we've downloaded from malware Bazar because this is essentially an archive it can be interpreted as one and we can extract it
00:01:33	with szip the thing is this actually bundles with a legitimate Chrome setup so the user is going to get Chrome installed and running as it should be and they're probably going to be none the wiser about what's happened however there's something that sneakily goes along with this stuff you see these installers have something known as a package support framework that can be used and the pack support framework allows a Powershell script to be run either before or after the executable runs what thread actors
00:02:08	are doing well they're going to throw down their own Powershell script that does something malicious that's going to be the script that they designate should run when this actually executes you're going to have something that is the stter script rapper. PS1 script that executes this is defined within the prere requirements of running scripts within the package support framework basically what this is going to do is then execute the other script that you tell it to run let's take a look at it in this sample those with the Keen ey
00:02:38	might determine hey something's probably not right here why would Google Chrome need to do all these things it's reaching out to this fresh proc. site there is enumeration of security products on the system there is getting information about the domain that the system is connected to so maybe profiling of a potential victim where follow on activ can be performed we also see this get random so these random numbers for some reason I don't know why they double this up they're getting a random number but then they're defining
00:03:09	it to Tri X why they didn't just have RR down here is beyond me but they do what they do what's of interest is in this case they are downloading what appears to be a gpg encrypted executable or file and then they're going to use the gpg exe file with the pass phrase of Putin in order to extract this and gain access to the subsequent payloads that they're going to deploy on the system now there is also a mention here of vlc.exe is going to be the file name that's being specified so there's a good chance that
00:03:46	the extracted file is going to contain vlc.exe now if this is the legitimate vlc.exe there is a good chance that it's going to be bundled with a malicious D called libvlc dll and this is going to likely run some Shell Code that then is going to be operating inside of the VLC executable process if you think about this in the context of is anything malicious happening what do we see we see a Google Chrome update occur we see Powershell scripts running that go out and connect to some domains and then we
00:04:21	see VLC executable run as well powershell.exe head malicious code running inside of it as does the VLC executable and then follow on activity can likely occur from there now these malicious msix files aren't just coming through as fake browser updates and in the wild there's also been malvertising campaigns so malicious advertising campaigns where Google search results will actually promote malicious websites and through those websites they are fake versions of legitimate software companies and if you go there and
00:04:54	download these msix files and install them through this method you will also wind up with mare on your host for example there's samples out here that are only about just less than a month old on buus total and they still have a very very low detection rate the same applies to the actual malicious scripts that they are running which also have next to no if not no detection rates so this is something to be aware of I'll also show you what this looks like if someone was to download the MSX installer and they double click it
00:05:26	they're going to get it interpreted by windows and it's going to say hey do you want to install this software now this actually says the capabilities that the software has so it uses all system resources which is quite funny because that's what Chrome does but what's not so funny is the fact that the publisher here is Futurity designs limited which is not someone we would expect to be publishing Chrome that doesn't make a lot of sense so this is the signing sirt that's bundled in this installer that
00:05:53	the thread actor has been able to gain access to or purchase there's something else to keep in mind is that when we launch a Windows application package so in this case a malicious msix file what will happen from a process standpoint is there will be an app installer process that spawns and this is being used to actually interpret that package and then there will also be a runtime broker process that is launched and this is to do with the permissions associated with that package so from a process
00:06:22	standpoint the app installer.exe actually doesn't tell us anything in say the command line that will allow us to infer what this malicious msix file is that actually launched the app installer process when it is running will have a particular Handler that can be seen in the command line specified so the server name has this app X9 yada yada yada 7145 q. MCA now this is a different milicia sample as you can see this is pretending to be WebEx however it has the exact same server Handler name as if
00:06:59	we were to launch our other malicious sample and look at the app installer process that spawned from that it would be exactly the same in fact it would probably use the exact same process but that's it that's all I wanted to show you something to be aware of there are malicious msix files and within those malicious activity can occur such as post install Powershell scripts running let me know your thoughts feelings comments anything else in the comments section below if you have any un of ideas on videos that you want me to do
00:07:29	also so let me know if you enjoyed this give it a like thumbs up share comment anything else it really helps the algorithm and I will catch you next time [Music]