Cyber Security News

Fake AV websites used to distribute info-stealer malware

Cyware

Summary: Researchers have discovered multiple fake AV sites that are distributing info-stealers, including APK, EXE, and Inno setup installer files with spy and stealer capabilities. These sites are masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.

Threat Actor: Unknown | Unknown
Victim: Users who visit the fake AV sites

Key Point :

  • The fake AV sites distribute malicious files such as APK, EXE, and Inno setup installer.
  • The malicious websites masquerade as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.
  • The malicious files have spy and stealer capabilities, allowing the threat actor to collect sensitive information from victims.

The content:

In mid-April 2024, researchers at Trellix Advanced Research Center team spotted multiple fake AV sites used to distribute info-stealers. The malicious websites hosted sophisticated malicious files such as APK, EXE and Inno setup installer, including Spy and Stealer capabilities.

The fake websites were masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.

The sites hosting malware are avast-securedownload.com (Avast.apk), bitdefender-app.com (setup-win-x86-x64.exe.zip), malwarebytes.pro (MBSetup.rar).

Below is the list of malicious websites analyzed by the researchers:

  1. avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file (“Avast.apk”), which, once installed, requests intrusive permissions such as reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.
  2. bitdefender-app[.]com: Distributes a ZIP archive file (“setup-win-x86-x64.exe.zip”) that was used to deploy the Lumma information stealer.
  3. malwarebytes[.]pro: Distributes a RAR archive file (“MBSetup.rar”) that was used to deploy the StealC information stealer malware.

The experts also discovered a malicious Trellix binary that pretends to be Legit (AMCoreDat.exe).

The researchers did not attribute the attacks to a specific threat actor. The report also includes Indicators of Compromise (IoCs) for the attacks employing fake AV websites.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, fake AV websites)

Source: https://securityaffairs.com/163673/cyber-crime/fake-av-websites-distribute-malware.html

“An interesting youtube video that may be related to the article above”

Tags: ANDROID, TROJAN, SMS