A deceptive website masquerading as Avast antivirus is ensnaring unsuspecting users into compromising their own devices. The site, designed to appear legitimate, conducts a phony virus scan and falsely claims that the user’s system is riddled with threats. When users are prompted to “fix” these issues, they unwittingly download Venom Stealer, a sophisticated malware engineered to pilfer passwords, session cookies, and cryptocurrency wallet information.
A scan that finds exactly what the attacker wants you to see
The phishing site replicates the Avast brand meticulously, featuring familiar navigation bars, logos, and reassuring certification badges. Users are encouraged to initiate what seems to be a thorough virus scan. After a brief animation, the page delivers a predetermined outcome: three threats detected, three threats eliminated, and the system declared secure. A scrolling console log cites a specific detection—Trojan:Win32/Zbot.AA!dll—to lend an air of credibility. Ultimately, victims are urged to download a file named Avastsystemcleaner.exe, which is, in reality, the malware payload.
A Chrome service that is not Chrome
Upon execution, Avastsystemcleaner.exe stealthily replicates itself into a location that mimics legitimate software: C:Program FilesGoogleChromeApplicationv20svc.exe. This file is identical to the original, sharing the same MD5 hash (0a32d6abea15f3bfe2a74763ba6c4ef5). It then launches with a command-line flag --v20c, a meaningless argument that signals the malware to operate in its secondary role. This deliberate masquerade makes it easy for a casual observer to overlook the malicious process, as it appears to be a standard component of the Chrome browser.
Every cookie, every wallet, every saved password
Once activated, the malware methodically targets high-value assets within the victim’s machine. It begins with web browsers, harvesting saved credentials and session cookies. In a controlled environment, it was observed accessing Firefox’s cookie database at C:UsersAppDataRoamingMozillaFirefoxProfilescookies.sqlite-shm. The malware also extracts session cookies from Microsoft Edge and Google Chrome, enabling attackers to hijack active sessions without needing the victim’s password, even bypassing two-factor authentication.
Furthermore, the malware seeks out cryptocurrency wallets, attempting to steal locally-stored wallet data. For individuals using hot wallets, the ramifications are immediate and severe. In addition to credentials, the malware captures a screenshot of the victim’s desktop and saves it in a temporary file, further compromising the user’s privacy.
Disguised as analytics, delivered over plain HTTP
All stolen data is transmitted to a command-and-control domain: app-metrics-cdn[.]com, which resolved to 104.21.14.89 during analysis. The domain name is crafted to resemble a benign analytics service, minimizing the likelihood of detection in corporate proxy logs. The exfiltration process follows a structured sequence over unencrypted HTTP, involving multiple POST requests that transmit the collected data, including screenshots and cookie databases.
Syscalls, sleep loops, and debugger checks
Venom Stealer employs various evasion techniques to avoid detection. Notably, it uses direct and indirect system calls, invoking Windows kernel functions directly, thereby bypassing standard interception methods used by most endpoint detection tools. The malware also checks for debugging environments and employs sleep calls to frustrate automated analysis.
This is not a new trick
The tactic of impersonating security software to distribute malware is a long-standing method in cybercrime. Users who believe their systems are compromised are likely to act hastily, and a site that mimics a trusted antivirus vendor exploits both fear and trust effectively. This approach is not isolated; similar campaigns have previously targeted other security brands, indicating a repeatable strategy rather than a one-off experiment.
What to do if you may have been affected
To safeguard against such threats, always download security software from official vendor websites, such as avast.com. If you suspect interaction with a fraudulent site or downloaded the malicious file, prompt action is essential:
- Check for infection. Look for
v20svc.exeinC:Program FilesGoogleChromeApplication. Its presence indicates potential compromise. - Run a full system scan. Utilize a trusted, up-to-date anti-malware tool to detect and eliminate any infections.
- Change your passwords. Prioritize email, banking, and other critical accounts, assuming that any saved credentials may have been exposed.
- Sign out of all active sessions. Log out of services like Google, Microsoft, and Facebook to mitigate unauthorized access.
- Protect cryptocurrency funds. If you use a desktop wallet, transfer your assets to a new wallet created on a secure device.
Indicators of Compromise (IOCs)
File hashes
- SHA-256:
ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d
Domains
app-metrics-cdn[.]com
Network indicators
104.21.14.89
C2 URLs
http://app-metrics-cdn[.]com/api/uploadhttp://app-metrics-cdn[.]com/api/upload-jsonhttp://app-metrics-cdn[.]com/api/upload-completehttp://app-metrics-cdn[.]com/api/listener/heartbeat
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
