The NUMOZYLOD malware family, also known as FakeBat, EugenLoader, and PaykLoader, has been linked to a surge in malware infections originating from malvertising campaigns.
Researchers have analyzed the malware family to understand its infection methods and tailored variants to targeted victims.
The Rise of NUMOZYLOD
Since mid-2023, Mandiant Managed Defense has observed a surge in malware infections originating from malvertising campaigns. These attacks target users seeking popular business software through the use of a trojanized MSIX installers to execute PowerShell scripts and download an additional secondary payload. Researchers track this PowerShell script as NUMOZYLOD and attributes its distribution to the threat actor UNC4536, operating under the moniker ‘eugenfest.’
UNC4536 is part of a Malware-as-a-Service (MaaS) operation, distributing a variety of malware, including ICEDID, REDLINESTEALER, CARBANAK, LUMMASTEALER, and ARECHCLIENT2. Researchers note this as evidence of a surging underground economy, where threat actors actively collaborate to fulfill the supply and demand for specialized tools and services to carry out attack campaigns.
Exploiting MSIX for Covert Malware Distribution
A key feature of MSIX, the Windows application packaging format, is its ability to execute scripts with the help of the Package Support Framework (PSF). Threat actors have exploited this by bundling a malicious payload, such as NUMOZYLOD, within the MSIX package, which is then executed during the software installation process.
Analysis of the trojanized MSIX file structure reveals how threat actors stage their resources and abuse MSIX features to gain initial access and evade detection. The structure consists of several key components, including:
- AppxManifest.xml: This XML file is the heart of the MSIX installer, specifying how the package is to be installed. It lists the languages supported by the application, which can offer insight into the malware author’s origin or the intended target audience for the malware’s distribution.
- Config.json: This configuration file is used by the Package Support Framework (PSF) to handle tasks that standard MSIX installations cannot directly support, such as launching specific processes alongside the main application. In the case of NUMOZYLOD, the config.json file instructs the MSIX installer to trigger the execution of the malicious PowerShell script during the installation of the software.
- StartingScriptWrapper.ps1: This file serves as a wrapper for executing PowerShell scripts specified in the config.json file.
- Virtual File System (VFS) folder: This virtual storage space within the MSIX package holds the application’s files and folders, separating them from the main system.
Delivering Tailored Payload Variants
UNC4536 operates as a malware distributor, leveraging NUMOZYLOD to deliver various secondary payloads to its “business partners.” The researchers have observed two NUMOZYLOD variants so far, each distributing different malware families.
In one campaign, NUMOZYLOD was used to spread the CARBANAK backdoor, leveraging SEO poisoning tactics to direct victims to a malicious website mimicking the legitimate KeePass password manager. This NUMOZYLOD variant transmitted host information to attackers, subsequently downloading and executing the CARBANAK malware on infected systems.
In another campaign, the researchers observed a heavily obfuscated NUMOZYLOD variant utilized to deliver the LUMMASTEALER infostealer payload. This variant employed multiple layers of obfuscation to impede analysis and evade security measures, including disabling the Antimalware Scan Interface (AMSI) to run undetected.
The researchers have shared custom YARA-L rules to help protect against the campaign by detecting execution of the malicious Powershell scripts and executable file associated with the attacks.