Cybersecurity researchers have exposed a disturbing new campaign in which hackers are carefully copying real antivirus software websites to spread the dangerous Venom Remote Access Trojan (RAT).
This is a cheap trick that is meant to fool less discerning users into downloading malware that could give attackers the keys to their kingdom, particularly when it comes to stealing sensitive information such as cryptocurrency wallet credentials.
The newest of these is the fake website impersonating popular antivirus vendor Bitdefender. This scam domain, from “bitdefender-download[. com,” lures visitors to download an alleged Windows version of the antivirus.
But instead of a real security program, they are unwittingly installing a ZIP archive called “StoreInstaller. exe.” The executable also includes malicious configurations for Venom RAT, as well as code from the SilentTrinity post-exploitation framework and the StormKitty stealer.
Venom RAT, a well-known variant of Quasar RAT, can perform various malicious operations such as data collection, keystroke logging, screen capture, and establishing a permanent backdoor entry for attackers.
StormKitty only adds to the danger posed, with this stealer specifically built to extract sensitive data such as passwords, browser details and, crucially, cryptocurrency wallet information. With SilentTrinity, the attackers’ presence on the victim machine remains stealthy and that’s long term control.
DomainTools Intelligence (DTI) security researchers who discovered the counterfeit Bitdefender website have also discovered a connection between this fake website and other nefarious websites in the past being used for bank and IT services phishing in the infrastructure and time related aspects. This indicates a concerted effort among the threat actors to utilize well-known brands and techniques to optimize their success.
“These tools complement each other: Venom RAT allows a foothold, StormKitty can grab passwords and digital wallets and SilentTrinity ensures the threat actor can stay hidden and in control,” according to a DTI report. This multi-pronged method demonstrates the maturity of cybercrime and the use of modular, open-source malware to conduct the activity in an efficient, discreet manner and to facilitate change and shifting in tactics.
This find comes in the wake of an alert from Sucuri of another campaign leveraging phony Google Meet pages to push the noanti-vm. bat RAT — are two more examples of the wide range of social engineering tactics used by cybercrooks.
[WARNING] Downloading software (even from well known sites) is highly risky. Always ensure that you are dealing with the real website by comparing its URL and always get the software from the book’s official vendor s page.
However, deploying solid anti-malware from reputable vendors and ensuring secure updates are a must to defend against these kinds of advanced threats. This is a brutal wake-up call for all where the traditional techniques to secure the investments are failing against the invading barbarians of the information age.
