Cybercriminals have recently escalated their tactics, launching a sophisticated malware campaign that exploits a counterfeit Bitdefender antivirus website. This fraudulent site is designed to distribute a trio of malicious programs, all aimed at stealing financial data and ensuring persistent access to victims’ computers.
According to DomainTools Intelligence (DTI), this deceptive site is part of a larger operation focused on targeting users’ cryptocurrency wallets, banking credentials, and personal information. The domain “bitdefender-download[.]co” closely resembles the legitimate Bitdefender antivirus download page, creating a challenge for users attempting to discern between the authentic and the counterfeit.
Upon clicking the “Download For Windows” button, unsuspecting visitors inadvertently initiate the download of a ZIP file that harbors three distinct pieces of malware: VenomRAT, StormKitty, and SilentTrinity.
Multi-Stage Attack Strategy
The attack unfolds with a file hosted on Bitbucket that redirects users to Amazon S3 storage, lending an air of legitimacy to the download process. The bundled executable, masquerading as “StoreInstaller.exe,” contains configurations for all three malware families, each playing a specific role in the cybercriminals’ scheme.
VenomRAT, characterized by security firm Acronis as a remote access tool with “dangerous consequences,” serves as the primary gateway, granting attackers initial and ongoing access to victim machines. This malware, which is a derivative of the open-source Quasar RAT, is capable of stealing files, cryptocurrency wallets, browser data—including credit card details—and executing keylogging activities.
StormKitty operates as a rapid credential harvester, swiftly collecting sensitive information from the compromised system. In parallel, SilentTrinity, an open-source post-exploitation framework, ensures stealthy long-term access, allowing for potential repeat compromises or the sale of access to other criminals.
The malware specifically zeroes in on financial data, with VenomRAT adept at pilfering cryptocurrency wallets and browser-stored banking information. Recent analyses indicate that newer iterations of VenomRAT have broadened their capabilities to include the theft of credit card information.
DTI’s investigation revealed that the fake Bitdefender site shares infrastructure with other malicious domains impersonating banks and IT services, suggesting a coordinated phishing operation. This campaign also includes fraudulent sites that spoof the online banking portals of the Armenian IDBank and the Royal Bank of Canada.
DomainTools researchers observe that the use of multiple open-source malware tools reflects the attackers’ dual focus: rapidly harvesting financial credentials and crypto wallets during initial access while simultaneously establishing stealthy, persistent access for potential long-term exploitation. The attackers have consistently utilized the same command and control infrastructure across various samples, with researchers identifying the IP address 67.217.228.160:4449 as a reliable connection point.
Protection Recommendations
In response to this threat, Bitdefender has acknowledged the situation and is actively working to take the fraudulent site offline. Their security software is equipped to detect the malicious files associated with this campaign. Additionally, Google Chrome has begun flagging the fake download link as malicious, effectively preventing user access.
Security experts advise exercising extreme caution when downloading software, emphasizing the importance of verifying website authenticity and steering clear of suspicious links or email attachments. Users are encouraged to download antivirus software exclusively from official vendor websites and to remain vigilant against unsolicited security warnings that prompt immediate software downloads.
This campaign underscores the evolving sophistication of cybercriminal operations, where seemingly legitimate websites serve as gateways for multi-stage attacks targeting users’ most sensitive financial information.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
