The NUMOZYLOD malware household, also referred to as FakeBat, EugenLoader, and PaykLoader, has been linked to a surge in malware infections originating from malvertising campaigns.
Researchers have analyzed the malware household to know its an infection strategies and tailor-made variants to focused victims.
The Rise of NUMOZYLOD
Since mid-2023, Mandiant Managed Protection has observed a surge in malware infections originating from malvertising campaigns. These assaults goal customers in search of in style enterprise software program via the usage of a trojanized MSIX installers to execute PowerShell scripts and obtain a further secondary payload. Researchers monitor this PowerShell script as NUMOZYLOD and attributes its distribution to the menace actor UNC4536, working beneath the moniker ‘eugenfest.’
UNC4536 is a part of a Malware-as-a-Service (MaaS) operation, distributing a wide range of malware, together with ICEDID, REDLINESTEALER, CARBANAK, LUMMASTEALER, and ARECHCLIENT2. Researchers observe this as proof of a surging underground financial system, the place menace actors actively collaborate to satisfy the provision and demand for specialised instruments and companies to hold out assault campaigns.
Exploiting MSIX for Covert Malware Distribution
A key characteristic of MSIX, the Home windows software packaging format, is its potential to execute scripts with the assistance of the Package deal Help Framework (PSF). Risk actors have exploited this by bundling a malicious payload, reminiscent of NUMOZYLOD, inside the MSIX package deal, which is then executed in the course of the software program set up course of.
Evaluation of the trojanized MSIX file construction reveals how menace actors stage their sources and abuse MSIX options to realize preliminary entry and evade detection. The construction consists of a number of key elements, together with:
- AppxManifest.xml: This XML file is the center of the MSIX installer, specifying how the package deal is to be put in. It lists the languages supported by the applying, which may provide perception into the malware writer’s origin or the supposed target market for the malware’s distribution.
- Config.json: This configuration file is utilized by the Package deal Help Framework (PSF) to deal with duties that normal MSIX installations can’t instantly assist, reminiscent of launching particular processes alongside the principle software. Within the case of NUMOZYLOD, the config.json file instructs the MSIX installer to set off the execution of the malicious PowerShell script in the course of the set up of the software program.
- StartingScriptWrapper.ps1: This file serves as a wrapper for executing PowerShell scripts specified within the config.json file.
- Digital File System (VFS) folder: This digital space for storing inside the MSIX package deal holds the applying’s recordsdata and folders, separating them from the principle system.
Delivering Tailor-made Payload Variants
UNC4536 operates as a malware distributor, leveraging NUMOZYLOD to ship varied secondary payloads to its “enterprise companions.” The researchers have noticed two NUMOZYLOD variants up to now, every distributing completely different malware households.
In a single marketing campaign, NUMOZYLOD was used to unfold the CARBANAK backdoor, leveraging website positioning poisoning techniques to direct victims to a malicious web site mimicking the authentic KeePass password supervisor. This NUMOZYLOD variant transmitted host data to attackers, subsequently downloading and executing the CARBANAK malware on contaminated programs.
In one other marketing campaign, the researchers noticed a closely obfuscated NUMOZYLOD variant utilized to ship the LUMMASTEALER infostealer payload. This variant employed a number of layers of obfuscation to impede evaluation and evade security measures, together with disabling the Antimalware Scan Interface (AMSI) to run undetected.
The researchers have shared customized YARA-L guidelines to assist defend in opposition to the marketing campaign by detecting execution of the malicious Powershell scripts and executable file related to the assaults.
