Wilson's Media

A Tech & Gaming Blog

Watch out – that antivirus website could be a fake, and infecting your PC with malware

  • Researchers found a website spoofing Bitdefender antivirus
  • The site delivers a remote access trojan
  • Crooks are using it to steal people’s money

One of the best antivirus programs out there is being abused in a new campaign delivering the dangerous VenomRAT Remote Access Trojan (RAT).

Cybersecurity researchers Domaintools recently posted an in-depth analysis of the malicious operation after they spotted a malicious domain called “bitdefender-download[.]com”, which leads to a website titled “DOWNLOAD FOR WINDOWS”.

Aside from a few subtle differences, the website looks seemingly identical to the legitimate Bitdefender download web page: “There are subtle differences between them such as the legitimate page using the word “free” in several places whereas the spoofed version does not,” it was explained.

VenomRAT

The landing page has a “Download for Windows” button, which triggers a file download from an Amazon S3 bucket.

The bundled executable is named “StoreInstaller.exe”, and was found to contain malware configurations associated with VenomRAT, Domaintools further explained. It also contained code associated with open source post-exploitation framework SilentTrinity and StormKitty stealer.

VenomRAT is a lightweight RAT that cybercriminals use to gain control over compromised Windows systems. It enables the theft of login credentials, and allows threat actors to log keystrokes, access webcams, and run additional commands, remotely.

In this case, Domaintools says the goal was to steal people’s cryptocurrency and then sell the access to a different threat actor, saying there is “clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.”

The researchers also found that the campaign overlaps, both in time and infrastructure, to other malicious operations in which banks and “generic IT services” were being impersonated. The Armenian IDBank, and the Royal Bank of Canada, are some of the companies being mentioned in the report.

As usual, the best way to minimize these threats is to be careful when clicking on links in emails and social media messages, and only download software from legitimate sources.

You might also like


Source

Researchers found a website spoofing Bitdefender antivirus The site delivers a remote access trojan Crooks are using it to steal people’s money One of the best antivirus programs out there is being abused in a new campaign delivering the dangerous VenomRAT Remote Access Trojan (RAT). Cybersecurity researchers Domaintools recently posted…

Tags: ,
Previous Post
Next Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Archives