Fake Antivirus Sites Spread Malware Disguised as Avast, MalwareBytes, BitDefender
-
In April 2024, Trellix Advanced Research Center team members discovered several fake antivirus sites hosting sophisticated malicious files like APK, EXE, and Inno setup installers. These sites are used to distribute SpyNote trojan, Lumma malware, and StealC malware. The malware hosts include avast-securedownload[.]com, bitdefender-app[.]com, and malwarebytes[.]pro. It hosts a sophisticated APK called Avast.apk that delivers SpyNote Trojan, which can install and delete packages, read call logs, SMS, contacts, storage data, phone state, and more. It also has a recorder, touch activity tracker, and update capabilities. Bitdefender-app[.]com delivers a zip file with an EXE named “setup-win-x86-x64[.]exe[.]zip” with a discreet TLS callback function. It delivers Lumma malware, targeting sensitive information like PC name, username, HWID, screen resolution, CPU, installed memory, running process, login data, history, cookies, tokens, and user profile information. Malwarebytes[.]pro delivers RAR files containing legitimate DLLs, Inno Setup, and StealC infostealing malware. The contents are compressed in gzip and transferred to the attacker’s C2 server. The stolen information includes account tokens, Steam tokens, saved card details, system profiles, Telegram logins, running process names, installed browser lists, and common system information.
ที่มาแหล่งข่าว
https://www.hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/
