Impress Computers, Houston’s Leading Managed Service Provider, Warns of New Malware Threats
Impress Computers, a leading managed service provider (MSP) in Houston, has issued a warning about a sharp increase in malware infections resulting from malicious advertising campaigns. These campaigns are distributing a dangerous malware loader known as FakeBat, posing significant risks to businesses that rely on trusted software.
“These cyberattacks are highly opportunistic, preying on users searching for popular business software,” explained the cybersecurity team at Impress Computers. “The infection process involves a trojanized MSIX installer, which activates a PowerShell script to download further malicious software.”
FakeBat, also known as EugenLoader and PaykLoader, has been linked to a threat group called Eugenfest. The malware operation, tracked under the name NUMOZYLOD, is believed to be part of a larger Malware-as-a-Service (MaaS) operation attributed to the cybercriminal group UNC4536.
The Attack Methodology
The malware spreads through a method called drive-by download, which directs users searching for legitimate software to fraudulent websites. These sites host fake MSI installers that are rigged with malware. Among the malware distributed via FakeBat are dangerous families like IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (also known as ArechClient2), and Carbanak, which is associated with the notorious FIN7 cybercrime group.
“UNC4536 leverages malicious advertising to distribute trojanized MSIX installers disguised as well-known software such as Brave, KeePass, Notion, Steam, and Zoom,” the Impress Computers team noted. “These compromised installers are hosted on websites that mimic legitimate software distribution sites, tricking users into downloading them.”
Why This Matters to Your Business
For businesses relying on trusted software, these attacks are particularly concerning. The use of MSIX installers disguised as popular applications like Brave, KeePass, Notion, Steam, and Zoom allows the malware to execute harmful scripts before the main application launches, using a technique called startScript.
As a managed service provider, Impress Computers emphasizes the importance of proactive cybersecurity measures to protect against such threats. “UNC4536 essentially acts as a malware distributor, with FakeBat serving as a delivery mechanism for additional malicious payloads used by their criminal partners, including the FIN7 group,” said the team.
“NUMOZYLOD collects critical system data, including operating system information, domain connections, and details about installed antivirus products,” added Impress Computers. “In certain variants, it even gathers the public IPv4 and IPv6 addresses of the compromised host and sends this information to its command and control (C2) servers. It also establishes persistence by creating a shortcut (.lnk) in the StartUp folder.”
The Need for Managed Security Services
The recent surge in such threats underscores the vital role that managed service providers like Impress Computers play in safeguarding businesses. Their comprehensive approach to cybersecurity includes constant monitoring, threat detection, and rapid response to incidents, ensuring that their clients remain protected against evolving threats.
This alert comes on the heels of another recent disclosure involving a different malware downloader known as EMPTYSPACE (also called BrokerLoader or Vetta Loader). This downloader has been used by a financially motivated threat group called UNC4990 to facilitate data theft and cryptojacking activities, particularly targeting businesses in Europe.
Cyber Incident Prevention Best Practices For
Your Small Busines