IT News

Explore the MakoLogics IT News for valuable insights and thought leadership on industry best practices in managed IT services and enterprise security updates.

A week in security (March 11 – March 17)

Last week on Malwarebytes Labs:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Ransomware’s appetite for US healthcare sees known attacks double in a year

Following the February 21 attack on Change Healthcare, scores of people in the US have been living with the brutal, real-world effects of ransomware.

Described by the American Hospital Association (AHA) President and CEO Rick Pollack as “the most significant and consequential incident of its kind against the US health care system in history,” the attack has stopped billions of dollars in payments flowing between doctors, hospitals, pharmacies and insurers. It has also created skyrocketing pharmacy bills, pushed some healthcare providers to the edge of insolvency, and led some small practices offering chemotherapy to warn that they are just weeks from turning patients away.

There are thousands of “big game” ransomware attacks like this every year—large scale cyberattacks that can bring entire organisations to a halt. They are always damaging and they always cause pain, but when they hit the healthcare system, the consequences—particularly the risk to life—are often more immediately obvious and shocking.

From time to time individual ransomware gangs will grandstand and say they don’t or won’t hit hospitals, but the truth is that healthcare has always been a major target.

Only three weeks ago, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that ALPHV, the ransomware group behind the attack on Change Healthcare, was singling out targets in that sector, saying that “since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.”

ALPHV is just one gang among many targeting the sector. In the last 12 months, known ransomware attacks on US targets have increased an enormous 101% year-on-year, but attacks on healthcare have outpaced even that, increasing 137%.

70% of all known attacks on healthcare happen in the US.

known ransomware attacks on the us healthcare sector march 2022 february 2024

This relentless assault has made healthcare the second most attacked sector in the US, where it accounts for 9% of known attacks. In the same period, healthcare accounted for just 3% of known attacks in the rest of the world.

The stark difference between the US and everywhere else may reflect the enormous size of the US healthcare market, or it could be the result of deliberate targeting.

known ransomware attacks by industry sector usa march 2023 february 2024
Screenshot
known ransomware attacks by industry sector rest of the world march 2023 february 2024
Screenshot

Given its unmatched global footprint, it’s no suprise that LockBit was responsible for more attacks on US healthcare than any other ransomware group in the last year. LockBit is the most widely used ransomware in the world, and tops the list of most active groups across a wide variety of different countries and industry sectors. What is most striking about attacks on US healthcare though is the number of different gangs involved.

In the last year, 36 different ransomware groups are known to have attacked US healthcare targets, and, unusually, the combined contribution of gangs making just a few attacks each vastly outweighs the efforts of big gangs like LockBit and ALPHV.

Known ransomware attacks on US healthcare by gang, March 2023 - February 2024

It’s easy to see why so many ransomare gangs might be drawn to the sector: US healthcare companies are custodians of people’s most private data, guardians of their health, and part of a marketplace worth trillions of dollars. In other words, healthcare isn’t just another industry sector, either for the people who use it, or the people who prey on it. It is a special case, and there is an argument for saying that attacks on organisations like Change Healthcare should be treated like an attack on critical infrastructure.

The last attack on US critical infrastructure, against Colonial Pipeline in 2021, was met with an immediate and ferocious response. Within a month, the FBI had recovered the vast majority of the ransom. The gang behind it, DarkSide, lost control of its infrastructure to US law enforcement (and possibly US military) before going dark, and was quickly hounded out of existence by the FBI after it attempted to remerge and rebrand as BlackMatter.

Knowing that, perhaps it’s not a surprise that the attack on Change Healthcare was one of the ALPHV gang’s last acts before it disappeared in a sloppily exectuted exit scam.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Webinar recap: 6 critical cyberthreats in 2024 and how to counter them

Our webinar on the 2024 State of Malware report is now available on-demand. Featuring cybersecurity experts Mark Stockley and Jérôme Segura, this webinar unpacks 2024’s most critical cyberthreats, including big game ransomware, malvertising, and emerging challenges to mobile and Mac security.

Key highlights:

  • Expert insights: Stockley and Segura explain how the cybercrime landscape has shifted significantly in the past year, outlining the six most critical cyberthreats to watch out for in 2024.
  • Practical defense strategies: Learn about how layered defense systems, including EDR, MDR, and web protection, can protect your data, devices and your business from emerging cyber threats.
  • Why it’s essential: The webinar equips IT and security teams with a new threat prevention playbook that they can leverage today to prepare for 2024 cyberthreats of all types–not just malware.

Don’t let evolving threats catch your organization off guard—watch the webinar and arm yourself with the latest insight.

TikTok faces ban in US unless it parts ways with Chinese owner ByteDance

The House of Representatives has passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app.

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5 billion users, with an estimated 170 million of them in the US.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices, but a complete ban of an internet app would be a first in the US.

Other countries have done this before. In 2020, India was the first country to ban TikTok, along with around 200 other Chinese apps that were all blocked from operating within the country. The ban cost TikTok some 200 million users.

General Paul Nakasone, Director of the National Security Agency (NSA) certainly fueled the feeling of necessity for such a ban. Speaking at a US Senate hearing in March 2023, the general said “one third of Americans get their news from TikTok”, adding “one sixth of American youth say they’re constantly on TikTok. That’s a loaded gun.”

And a former executive at TikTok’s parent company ByteDance claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US. The allegations were made in a wrongful dismissal lawsuit which was filed in May in the San Francisco Superior Court.

Ever since then, TikTok has been battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP. For example, TikTok has repeatedly claimed the Chinese government never demanded access to US data and that TikTok would not comply if it did.

All this, and the fear of foreign influence on the upcoming elections, led to the bipartisan legislation introduced in the House with the expectation to send it to the Senate later this week.

Essentially, the bill says that TikTok has to find a new owner that is not based in a foreign adversarial country within the next 180 days or face a ban until it does comply.

The Electronic Frontier Foundation (EFF), an international non-profit digital rights group based in the US, says it opposes this bill, mainly because it is afraid that TikTok will not be the last app to face this type of ban. It mentions Tencent’s WeChat app as an example of what could be the next target.

A year ago, supporters of digital rights across the country successfully stopped the federal RESTRICT Act aka the “TikTok ban.” The RESTRICT Act was introduced in the United States Senate on March 7, 2023 and requires federal actions to identify and mitigate foreign threats to information and communications technology products and services (e.g., social media applications). It also establishes civil and criminal penalties for violations under the bill.

The EFF argues that the bill will not stop the sharing of data but it will reduce online rights in a way that is unconstitutional. And it says the focus should be on the common practice of data collection in the first place, rather than single out one app.

The point made by the EFF stipulates that data brokers will continue to sell our information to whomever is willing to pay. And the apps providing brokers with data are certainly not limited to those that hail from a foreign adversarial country.

Chinese officials reportedly said the government would “firmly oppose” any forced sale of TikTok because it would “seriously undermine the confidence of investors from various countries, including China, to invest in the United States.”

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Malwarebytes Premium blocks 100% of malware during external AVLab test

Malwarebytes Premium earned a perfect score in the latest AVLab Cybersecurity Foundation “Advanced In-The-Wild Malware Test,” catching and stopping 100% of malware samples, outperforming multiple competitors in the field, and continuing a longstanding tradition of proven, perfect protection for users.

In the January evaluation, Malwarebytes Premium for Windows detected and blocked 380 out of 380 malware samples, with 69% (263 samples) detected “pre-launch” and 31% (117 samples) detected “post-launch.” The time to remediation was just 41 seconds—quicker than nearly every single competitor that also blocked all malware samples in the test.

For its performance and results, Malwarebytes obtained an “Excellent” award badge from AVLab.

Comprised of a small team of cybersecurity and information security experts, AVLab Cybersecurity Foundation regularly evaluations cybersecurity vendors on the performance of their products.

To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:

  1. Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
  2. Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
  3. Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”

In the January evaluation, AVLab tested 12 cybersecurity products (one of which included ThreatDown, powered by Malwarebytes). Just more than half of the products blocked 100% of the malware samples tested, and of those products, only one had a quicker Remeditation Time than Malwarebytes Premium for Windows.

Notably, the default cybersecurity program that many users rely on—Microsoft Defender—failed to detect and block two malware samples.

Screenshot 2024 03 12 at 4.08.40%E2%80%AFPM
Screenshot 2024 03 12 at 4.07.46%E2%80%AFPM

The work conducted by AVLav and other independent, third-party testers is vital to a transparent cybersecurity market. Users should not have to rely solely on the words of cybersecurity vendors, and vendors should be willing to submit their products to external reviews.

Malwarebytes is proud to once again achieve a 100% score with AVLab’s Advanced In-The-Wild Malware Test, a trusted resource that proves our commitment to user safety.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ThreatDown achieves perfect score in latest AVLab assessment 

ThreatDown has once again earned a perfect score in AVLabs’ January 2024 real-world malware detection tests, marking the eleventh consecutive quarter in achieving this feat. 

Let’s delve into the details of the test and how ThreatDown outperformed competitors in exhaustive testing. 

The AVLab Assessment 

AVLabs evaluation process is extensive and comprehensive, putting cybersecurity products through a rigorous series of real-world scenarios. The tests involve: 

  1. Malware Collection: AVLab amasses a broad spectrum of malware samples from various sources, such as public feeds and custom honeypots. This ensures the test includes the most current and diverse set of threats. 
  2. System Log Analysis: The collected malware samples undergo thorough scrutiny to confirm their malicious characteristics and their ability to successfully infect a Windows 10 system. 
  3. Real-life Cyber Attack Simulations: All products are tested under the same conditions. AVLab recreates cyberattack scenarios akin to what’s seen in the real world, using techniques that actual attackers employ. 

Products that block all malware samples and achieve a maximum score of 100% protection are awarded an “Excellent” award badge. 

image2 6ed920

The Results 

ThreatDown consistently excels in the tests, and January 2024 was no different. ThreatDown Endpoint Protection earned “Excellent” badges for detecting and blocking 100% of malware. 

image1 01f1ad

The standout performance is due to our superior detection approach that combines rules-based techniques with behavioral and AI-based methods to stop threats at every stage of an attack. Our proactive approach, which involves identifying threats even before they execute, played a crucial role in obtaining a perfect AVLab score.  

The Competition 

Other vendors struggled to match ThreatDowns results. Five vendors—Cegis Cyber, F-Secure Total, Microsoft Defender, Panda Dome Advanced, and Webroot Antivirus—all missed samples in the January 2024 test. 

The foundation for superior Endpoint Detection and Response (EDR) 

ThreatDown Endpoint Protection (EP) is not merely a standalone product; it’s the bedrock of our ThreatDown Bundles, which combines the technologies and services that resource constrained IT teams need to take down threats, complexity, and cost. 

Leveraging the robust detection and prevention capabilities validated by AVLab’s tests, ThreatDown Bundles deliver a simple yet superior solution integrating award-winning endpoint protection technologies. Learn more about ThreatDown Bundles here.

For a deeper dive into our performance, view the full AVLab report here. 

How to update outdated software on Mac endpoints: Introducing ThreatDown VPM for Mac  

ThreatDown is happy to announce that our Vulnerability Assessment and Patch Management (VPM) tool is now available for Mac endpoints. 

There are hundreds of third-party apps that Mac endpoint use on a daily basis—and with that large number of apps comes a dizzying amount of software updates to apply on a rolling basis. 

With VPM for Mac, Nebula and OneView users can now easily find missing updates and install them to take care of the large volume of software updates in third-party applications on Mac endpoints. Some key features include: 

  • Single, lightweight agent: Updates install in minutes, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies. 
  • Quick scans: Identifies software updates dates in modern and legacy applications in less than a minute. 
  • Install software updates easily: Create a schedule to install third-party software updates regularly. 

Let’s dive into how to set up software updates for Mac endpoints with ThreatDown VPM.

Configuring VPM for Mac 

To configure VPM for Mac in Nebula/OneView: 

  1. Go to Configure > Policies 
  1. Create a new policy or select an existing policy. 
  1. Click the Software management tab. 
  1. Check mark Allow scanning for known vulnerabilities in installed software Mac endpoints.  
  1. Click Save.  
image3 837e2f

In order to be able to apply software updates, users need to enable the policy setting Allow updating software inventory and applying Windows OS patches for endpoints for Mac.  

Screenshot 2024 03 06 at 1.22.33%E2%80%AFPM 1

Viewing outdated software 

To view and update software: 

  1. Go to Monitor > Software Inventory page. 
  1. Filter Update available as Yes.
  1. Click Actions.
  1. Select Update Software.
  1. Click Update.
image 72ff11

You can also view outdated software by endpoint by: 

  1. Click Manage > Endpoints  
  1. Select specific endpoint(s) under the Software tab.  
  1. Click Update Software.  
  1. Click Update.
image1 a03813
image2 8e29a7

Updating outdated software 

To update outdated software, you can go directly to the Patch Management page as well: 

  1. Manage > Patch Management 
  1. Under Software Updates tab, select specific version(s) .
  1. Click Actions
  1. Select Update Software.
  1. Click Update.
image5 b3c5dc

Try VPM for Mac today

3rd party software updates for Mac endpoints is available on both Nebula and OneView for our Patch Management users or users on an Advanced bundles and above.

Not a user but looking to learn more on how to protect your Mac endpoints? Reach out for a quote today.

Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

SAP has released its March 2024 Patch Day updates.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

New Facebook photo rule hoax spreads

Some hoaxes on Facebook are years old, but like a cat with nine lives they keep coming back again and again. This is certainly the case with this most recent hoax.

Fact-checking site Snopes is reporting on a hoax that concerns Meta’s use of our photos, messages and other posts on Facebook. Users are told in numerous ways to repost something that contains the phrase:

“I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.”

“Hello 🔵 It’s official. Signed at 8:44 PM. It was even on TV. Mine really turned blue. Don’t forget that tomorrow starts the new Facebook rule (aka… new name, META) where they can use your photos. Don’t forget the deadline is today!!!

I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.

With this statement, I notify Facebook that

it is strictly prohibited to disclose, copy, distribute or take any other action against me based on this profile and/or its contents. Violation of privacy may be punishable by law.

Here’s how to do it:

Hold your finger anywhere in this message and “copy” will appear. Click “copy”. Then go to your page, create a new post and place your finger anywhere in the empty field. “Paste” will appear and click Paste.

This will bypass the system….

He who does nothing consents.”

The first round of hoax posts similar to this one surfaced in 2012 (and have resurfaced many times since then). As you can see in this page on the Internet archives, Facebook even issued a statement about it:

“Fact Check

Copyright Meme Spreading on Facebook

There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

It’s not a Real Thing

With all the—legitimate—concern around keeping personal data private, one can see why people fall for hoaxes like this. However, this copy-paste post does nothing. Facebook doesn’t get to “own” your content and you don’t need to make any declarations about copyright issues since the law already protects you.

Equally, Facebook users cannot retroactively negate any of the privacy or copyright terms they agreed to when they signed up for their accounts, simply by posting a contrary legal notice on to Facebook.

In other words, you agreed to Facebook’s terms of use and when you did, you provided Facebook with a right to use, distribute, and share the things you post, subject to the terms and applicable privacy settings. If that doesn’t sit well with you, it’s worth considering deactivating or deleting your Facebook account.

Sharing posts like this “just in case” continues the hoax and unnecessarily worries people who might see your post. If you’re not sure about whether you should share something, it’s worth googling the post’s text to check if there are any alerts about it.

Check your own digital footprint

If you are worried about how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

FakeBat delivered via several active malvertising campaigns

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.

One malware family we have been tracking on this blog is FakeBat. It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code. For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable. We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.

Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.

All the incidents described in this blog have been reported to Google.

New redirection chain

During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).

image af32ce

The other type of redirect was using subdomains from expired and sitting .com domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.

It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):

image 378dc2
image abea74

Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:

image 28594e

The full infection chain can be summarized in the web traffic image seen below:

image 299041

Several active brand impersonations

There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application. A number of those malicious domains can be found on Russian-based hoster DataLine (78.24.180[.]93).

image cbb61a

Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd).

image f75479

Once extracted, each installer contains more or less the same files with a particular PowerShell script:

image 61bdbf

When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use. ThreatDown EDR detects the PowerShell execution and creates an alert:

image 0be983

Conclusion

FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.

It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.

Indicators of Compromise

Hacked sites

cecar[.]com[.]ar
estiloplus[.]tur[.]ar

Decoy sites

obs-software[.]cc
bandi-cam[.]cc
breavas[.]app
open-project[.]org
onenote-download[.]com
epicgames-store[.]org
blcnder[.]org

Download URLs

bezynet[.]com/OBS-Studio-30[.]0[.]2-Full-Installer-x64[.]msix
bezynet[.]com/Bandicam_7[.]21_win64[.]msix
church-notes[.]com/Braavos-Wallet[.]msix
church-notes[.]com/Epic-Games_Setup[.]msix
church-notes[.]com/Onenote_setup[.]msix

File hashes

07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029
0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a
15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8
40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5
f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18

Command and control servers

ads-pill[.]xyz
ads-pill[.]top
ads-tooth[.]top
ads-analyze[.]top