Threat actors have been observed using phony websites posing as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to spread malware that can steal sensitive data from Android and Windows devices.
“Hosting malicious software on websites that appear genuine is harmful to regular consumers, especially those seeking to safeguard their devices from cyber attacks,” stated Trellix security researcher Gurumoorthi Ramanathan commented.
The list of deceptive websites includes:
- avast-securedownload[.]com, which is being utilized to distribute the SpyNote trojan disguised as an Android package file (“Avast.apk”). Once installed, the trojan requests intrusive permissions to access SMS messages, call logs, install and remove apps, capture screenshots, track location, and even mine cryptocurrency
- bitdefender-app[.]com, which is distributing a ZIP archive file (“setup-win-x86-x64.exe.zip”) that deploys the Lumma information stealer malware
- malwarebytes[.]pro, which is distributing a RAR archive file (“MBSetup.rar”) that delivers the StealC information stealer malware
The cybersecurity company also identified a rogue Trellix binary named “AMCoreDat.exe” that acts as a channel to install a stealer malware capable of harvesting victim data, including browser information, and sending it to a remote server.
The distribution method of these fraudulent websites is currently unclear, but previous campaigns have employed strategies such as malvertising and search engine optimization (SEO) poisoning.
Stealer malware has become a prevalent threat, with cybercriminals offering numerous customized variants with different levels of sophistication. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones like SYS01stealer (also known as Album Stealer or S1deload Stealer).
“The fact that new stealers appear regularly, combined with their varying levels of functionality and complexity, indicates a criminal demand for stealers,” as per a recent report by Kaspersky.
Recently, the Russian cybersecurity company outlined a Gipy malware campaign that exploits the popularity of artificial intelligence (AI) tools by promoting a fake AI voice generator through phishing websites.
Gipy installs third-party malware hosted on GitHub after being downloaded, including information stealers (Lumma, RedLine, RisePro, and LOLI Stealer), cryptocurrency miners (Apocalypse ClipBanker), remote access trojans (DCRat and RADXRat), and backdoors (TrueClient).
Meanwhile, a new Android banking trojan named Antidot has been discovered, posing as a Google Play update to facilitate data theft by abusing Android’s accessibility and MediaProjection APIs.
“Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers,” stated Symantec, a subsidiary of Broadcom, in a bulletin.
