Threat actors used fake AV websites masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes to distribute malware.
In mid-April 2024, researchers at Trellix Advanced Research Center team spotted multiple fake AV sites used to distribute info-stealers. The malicious websites hosted sophisticated malicious files such as APK, EXE and Inno setup installer, including Spy and Stealer capabilities.
The fake websites were masquerading as legitimate antivirus products from Avast, Bitdefender, and Malwarebytes.
The sites hosting malware are avast-securedownload.com (Avast.apk), bitdefender-app.com (setup-win-x86-x64.exe.zip), malwarebytes.pro (MBSetup.rar).
Below is the list of malicious websites analyzed by the researchers:
- avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file (“Avast.apk”), which, once installed, requests intrusive permissions such as reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.
- bitdefender-app[.]com: Distributes a ZIP archive file (“setup-win-x86-x64.exe.zip”) that was used to deploy the Lumma information stealer.
- malwarebytes[.]pro: Distributes a RAR archive file (“MBSetup.rar”) that was used to deploy the StealC information stealer malware.
The experts also discovered a malicious Trellix binary that pretends to be Legit (AMCoreDat.exe).
The researchers did not attribute the attacks to a specific threat actor. The report also includes Indicators of Compromise (IoCs) for the attacks employing fake AV websites.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, fake AV websites)