Trellix analysis exposes the hazards of faux antivirus web sites disguised as reliable safety software program however harbouring malware. Discover ways to establish these scams and defend your self from threats like id theft and ransomware assaults.
Think about looking on-line for an antivirus program to guard your laptop, solely to come upon a web site that infects your gadget with info stealers. That is the misleading tactic employed by faux antivirus (AV) websites, a rising menace detailed in Trellix’s analysis titled “A Catalog of Hazardous AV Sites – A Tale of Malware Hosting.”
Deception Disguised as Safety
In April 2024, Trellix Superior Analysis Heart staff members found a number of faux antivirus websites internet hosting refined malicious information like APK, EXE, and Inno setup installers. These websites are used to distribute SpyNote trojan, Lumma malware, and StealC malware. The malware hosts embrace avast-securedownload.com, bitdefender-app.com, and malwarebytes.professional.
Avast-securedownload.com:
It hosts a complicated APK referred to as Avast.apk that delivers SpyNote Trojan, which may set up and delete packages, learn name logs, SMS, contacts, storage knowledge, telephone state, and extra. It additionally has a recorder, contact exercise tracker, and replace capabilities.
Bitdefender-app.com:
This web site delivers a zipper file with an EXE named “setup-win-x86-x64.exe.zip” with a discreet TLS callback perform. It delivers Lumma malware, concentrating on delicate info like PC title, username, HWID, display decision, CPU, put in reminiscence, working course of, login knowledge, historical past, cookies, tokens, and person profile info.
Malwarebytes.professional:
The web site delivers RAR information containing reliable DLLs, Inno Setup, and StealC infostealing malware. The contents are compressed in gzip and transferred to the attacker’s C2 server. The stolen info contains account tokens, Steam tokens, saved card particulars, system profiles, Telegram logins, working course of names, put in browser lists, and customary system info.
Malicious Binaries
In line with Trellix’s weblog publish, researchers additionally found a binary referred to as AMCoreDat.exe, which facilitates the deployment of stealer malware. The attacker makes use of a complicated technique to obfuscate the payload, stealing sufferer info, together with PC title, username, looking historical past, cookies, tokens, and so on., and sends it to a C2 server.
Potential Risks
Unaware customers, in search of to safeguard their gadgets, get simply tricked into downloading malicious software program disguised as antivirus applications as a result of these websites seem skilled, full with logos, faux testimonials, and urgency-inducing language about potential threats.
The results of falling sufferer to those scams will be extreme, together with id theft, monetary loss, delicate knowledge breaches, ransomware assaults and probably hefty ransom calls for.
Researchers suspect these web site addresses are distributed by malicious promoting and search engine marketing poisoning methods. To mitigate dangers, it is strongly recommended to comply with safety measures like utilizing robust cybersecurity options, avoiding pirated software program, and verifying software program legitimacy along with your end-point supplier.
RELATED TOPICS
- Malicious Android Apps Masked as Anti-virus Software program
- Pretend In style Software program Advertisements Ship MadMxShell Backdoor
- Pretend Skype, Zoom, Google Meet Websites Unfold A number of RATs
- Hackers steal supply code of high anti-virus corporations to promote on-line
- Pretend LastPass Password Supervisor App Lurks on iOS App Retailer
