A Spoofed Bitdefender website is used in a malignant campaign to distribute Venomrat and two other malware tools, giving attackers deep access to the systems of victims.
The fake site, entitled Download for Windows, mimics the legitimate antivirus download page of Bitdefender, but leads visitors to malicious files hosted on Bitbucket and Amazon S3.
The downloaded package contains an executable file with the name Storeinstaller.exe, which initiates the infection process. Researchers found this file bundled with code from three separate malware families: Venomrat, Stormkitty and Silenttrinity.
Modular malware for maximum exploitation
According to Domaintools, who has discovered the campaign, it shows a layered approach to compromise with eAh Tool plays a separate role:
-
Poison provides external and persistent access
-
Stormkitty Collects references and crypto -portion -data
-
Silence facilitates secret exfiltration and long -term control
Together, these components state that attackers move rapidly while they remain hidden.
The use of Silenttrinity and Stormkitty, both open-source frameworks, suggests that the attackers focus not only on users for immediate profit, but also for long-term exploitation or resale of access.
Venomrat has roots in the quasar rat -project and supports keylogging, theft of theft and external command version (RCE).
The malwar monsters linked to this campaign share consistent configurations, in particular the reuse of command-and-control (C2) IPs such as 67.217.228[.]160: 4449 and 157.20.182[.]72: 4449.
Analysts have traced extra Venomrat samples and IPs through corresponding RDP configurations, which reveal further infrastructure that is probably managed by the same threat actor.
Read more about phishing -attacks using spoofed antivirus platforms: Cyber criminals operate Checkpoint Antivirus Driver in malignant campaign
Fake login pages are extra risks
In addition to the Spoofed antivirus site, researchers identified related phishing domains that occur as banks and IT services. These include:
-
IDRAM security[.]Live, Spoofing Armenian Idbank
-
Royal Banksecure[.]Online, simulating Royal Bank of Canada
-
Dataops tracxn[.]com, posing like a Microsoft logging portal
The infrastructure behind these domains overlaps in timing and setup, which strengthens the assessment of a coordinated, financially motivated campaign.
Grown use of open-source malware
The dependence on the attackers of open-source tools shows how accessible cyber crime has become. By re -use existing frameworks, they can quickly compile flexible, effective malware kits. Although this can help defenders recognize patterns, it also increases the speed and scale of potential attacks.
Domaintools researchers emphasize vigilance and encourage users to verify download sources, avoid entering references on non -confidenceed sites and remain careful with e -mail connections or appendices.
Image Credit: T. Schneider / Shutterstock.com