Recommended reading

Watch out - that antivirus website could be a fake, and infecting your PC with malware

News
By published

Are you sure you're visiting a legitimate antivirus site?

Antivirus software
(Image credit: Shutterstock)
  • Researchers found a website spoofing Bitdefender antivirus
  • The site delivers a remote access trojan
  • Crooks are using it to steal people's money

One of the best antivirus programs out there is being abused in a new campaign delivering the dangerous VenomRAT Remote Access Trojan (RAT).

Cybersecurity researchers Domaintools recently posted an in-depth analysis of the malicious operation after they spotted a malicious domain called “bitdefender-download[.]com”, which leads to a website titled “DOWNLOAD FOR WINDOWS”.

Aside from a few subtle differences, the website looks seemingly identical to the legitimate Bitdefender download web page: “There are subtle differences between them such as the legitimate page using the word “free” in several places whereas the spoofed version does not,” it was explained.

VenomRAT

The landing page has a “Download for Windows” button, which triggers a file download from an Amazon S3 bucket.

The bundled executable is named “StoreInstaller.exe”, and was found to contain malware configurations associated with VenomRAT, Domaintools further explained. It also contained code associated with open source post-exploitation framework SilentTrinity and StormKitty stealer.

VenomRAT is a lightweight RAT that cybercriminals use to gain control over compromised Windows systems. It enables the theft of login credentials, and allows threat actors to log keystrokes, access webcams, and run additional commands, remotely.

In this case, Domaintools says the goal was to steal people’s cryptocurrency and then sell the access to a different threat actor, saying there is “clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.”

The researchers also found that the campaign overlaps, both in time and infrastructure, to other malicious operations in which banks and “generic IT services” were being impersonated. The Armenian IDBank, and the Royal Bank of Canada, are some of the companies being mentioned in the report.

As usual, the best way to minimize these threats is to be careful when clicking on links in emails and social media messages, and only download software from legitimate sources.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.