In mid-April 2024, researchers from the Trellix Advanced Research Center uncovered a series of fraudulent antivirus (AV) websites used as vehicles to distribute malware. These malicious websites, cleverly disguised as legitimate products from trusted brands like Avast, Bitdefender, and Malwarebytes, served as conduits for spreading harmful software.
The identified fake AV sites, including avast-securedownload.com, bitdefender-app.com, and malwarebytes.pro, hosted a variety of sophisticated malicious files. These files, ranging from APKs to EXE and Inno setup installers, were equipped with Spy and Stealer capabilities, posing significant threats to unsuspecting users.
Here’s a breakdown of the malware distributed through these fraudulent websites:
- avast-securedownload[.]com: This site distributed the SpyNote trojan disguised as an Android package file named “Avast.apk.” Once installed, this malware requested intrusive permissions, such as accessing SMS messages, call logs, app installations and deletions, screenshot capture, location tracking, and even cryptocurrency mining.
- bitdefender-app[.]com: Hosting a ZIP archive file named “setup-win-x86-x64.exe.zip,” this site deployed the Lumma information stealer, a malicious program designed to gather sensitive data from infected systems.
- malwarebytes[.]pro: This site distributed a RAR archive file named “MBSetup.rar,” containing the StealC information stealer malware, which similarly aimed to harvest valuable information from compromised devices.
In addition to these malware-laden files, researchers also uncovered a malicious Trellix binary masquerading as “Legit” (AMCoreDat.exe).
Although the researchers did not attribute these attacks to any specific threat actor, they provided Indicators of Compromise (IoCs) in their report to help organizations identify and respond to similar attacks utilizing fake AV websites.
Source: securityaffairs.com
