Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices.
"Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan said.
The list of websites is below -
- avast-securedownload[.]com, which is used to deliver the SpyNote trojan in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency
- bitdefender-app[.]com, which is used to deliver a ZIP archive file ("setup-win-x86-x64.exe.zip") that deploys the Lumma information stealer malware
- malwarebytes[.]pro, which is used to deliver a RAR archive file ("MBSetup.rar") that deploys the StealC information stealer malware
The cybersecurity firm said it also uncovered a rogue Trellix binary named "AMCoreDat.exe" that serves as a conduit to drop a stealer malware capable of harvesting victim information, including browser data, and exfiltrating it to a remote server.
It's currently not clear how these bogus websites are distributed, but similar campaigns in the past have employed techniques such as malvertising and search engine optimization (SEO) poisoning.
Stealer malware have increasingly become a common threat, with cybercriminals advertising numerous custom variants with varying levels of complexity. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (aka Album Stealer or S1deload Stealer).
"The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers," Kaspersky said in a recent report.
Earlier this week, the Russian cybersecurity firm also detailed a Gipy malware campaign that capitalizes on the popularity of artificial intelligence (AI) tools by advertising a fake AI voice generator via phishing websites.
Once installed, Gipy loads third-party malware hosted on GitHub, ranging from information stealers (Lumma, RedLine, RisePro, and LOLI Stealer) and cryptocurrency miners (Apocalypse ClipBanker) to remote access trojans (DCRat and RADXRat) and backdoors (TrueClient).
The development comes as researchers have discovered a new Android banking trojan called Antidot that disguises itself as a Google Play update to facilitate information theft by abusing Android's accessibility and MediaProjection APIs.
"Functionality-wise, Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers," Broadcom-owned Symantec said in a bulletin.