Threat Actors Exploit Fake Antivirus Websites to Spread Malware
Threat actors have been observed using fake websites posing as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to distribute malware that can steal sensitive information from Android and Windows devices.
“Hosting malicious software on sites that appear legitimate is harmful to consumers, especially those seeking to protect their devices from cyber attacks,” said Trellix security researcher Gurumoorthi Ramanathan.
The list of deceptive websites includes:
- avast-securedownload[.]com, which delivers the SpyNote trojan disguised as an Android package file (“Avast.apk”)
- bitdefender-app[.]com, which distributes the Lumma information stealer malware
- malwarebytes[.]pro, which deploys the StealC information stealer malware
The cybersecurity firm also uncovered a rogue Trellix binary named “AMCoreDat.exe” that drops a stealer malware capable of harvesting victim information, including browser data.
It remains unclear how these fraudulent websites are disseminated, but past campaigns have utilized techniques like malvertising and search engine optimization (SEO) poisoning.
Stealer malware have become a prevalent threat, with cybercriminals offering various custom variants, including new ones like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing stealers like SYS01stealer.
Kaspersky noted in a recent report that the emergence of new stealers and their varying sophistication levels indicate a criminal demand for such malware.
Recently, Kaspersky detailed a Gipy malware campaign that leverages the popularity of AI tools by promoting a fake AI voice generator through phishing websites. Gipy installs third-party malware from GitHub, including information stealers, cryptocurrency miners, remote access trojans, and backdoors.
Meanwhile, researchers have identified a new Android banking trojan called Antidot, which disguises itself as a Google Play update to facilitate information theft through various malicious activities.
“Functionality-wise, Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers,” Symantec said in a bulletin.
Stay updated with more exclusive content by following us on Twitter and LinkedIn.