Cyber malefactors have been detected utilizing fraudulent websites, impersonating legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes, to disseminate malware adept at pilfering sensitive information from both Android and Windows devices.
“Deploying malicious software through seemingly credible sites is predatory towards general users, especially those seeking to safeguard their devices against cyber threats,” noted Trellix security researcher Gurumoorthi Ramanathan.
The following websites have been identified:
- avast-securedownload[.]com: This site dispenses the SpyNote trojan disguised as an Android package file (“Avast.apk”). Once installed, it solicits intrusive permissions to read SMS messages, access call logs, install and remove applications, capture screenshots, track location, and even mine cryptocurrency.
- bitdefender-app[.]com: This site delivers a ZIP archive file (“setup-win-x86-x64.exe.zip”) that unleashes the Lumma information stealer malware.
- malwarebytes[.]pro: This site provides a RAR archive file (“MBSetup.rar”) that deploys the StealC information stealer malware.
The cybersecurity firm also identified a rogue Trellix binary named “AMCoreDat.exe,” which serves as a vehicle to deploy a stealer malware capable of gathering victim information, including browser data, and transmitting it to a remote server.
The distribution method of these spurious websites remains unclear, though similar campaigns have previously employed techniques such as malvertising and search engine optimization (SEO) poisoning.
Stealer malware have increasingly emerged as a prevalent threat, with cybercriminals advertising numerous bespoke variants with varying degrees of complexity. This includes novel stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (also known as Album Stealer or S1deload Stealer).
“The emergence of new stealers at regular intervals, coupled with the diversity in their functionality and sophistication, underscores the criminal market demand for these tools,” Kaspersky highlighted in a recent report.
This development coincides with researchers uncovering a new Android banking trojan named Antidot, masquerading as a Google Play update to facilitate information theft by exploiting Android’s accessibility and MediaProjection APIs.
“Functionally, Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credential theft, device control, and executing commands received from the attackers,” Broadcom-owned Symantec stated in a bulletin.