HQ/EMEAFind out how we can help your business
Cybercriminals are leveraging a counterfeit antivirus website to spread Venom RAT along with other malicious tools disguised as legitimate software.
A spoofed domain named bitdefender-download[.]com has been impersonating the official Bitdefender Windows antivirus download page to trick users into downloading malware.
Researchers suspect this operation is part of a larger campaign to deploy Venom RAT, a Remote Access Trojan, while incorporating additional malware tools.
This initiative utilises password-stealing utilities and covert access methods, providing a threat actor with a targeted strategy to compromise user credentials, access cryptocurrency wallets, and potentially sell system access for profit.
Users who click on the fraudulent “Download for Windows” button are redirected to a Bitbucket URL that leads to a ZIP file stored on Amazon S3.
This file contains an executable named Storeinstaller.exe, which installs the RAT and components of the open-source post-exploitation framework SilentTrinity and StormKitty, a known credential thief.
Venom RAT is a persistent malware that stays on compromised devices.
Venom RAT, derived from the open-source Quasar RAT, allows continuous access to victim systems.
Investigations revealed its capabilities include remote control, keylogging, credential theft, and data exfiltration.
However, in this operation, StormKitty was used for swift credential theft, while SilentTrinity provided discreet, long-term access, indicating an attack strategy concentrating on both immediate profit and prolonged system exploitation.
Investigators traced several Venom RAT samples back to a likely single perpetrator, supported by shared infrastructure components such as a C2 server at IP address 67.217.67.217.228[.]160 on port 4449.
This malicious infrastructure is interconnected with other phishing campaigns impersonating financial institutions and IT service providers, including sites designed to steal login credentials for Microsoft and the Royal Bank of Canada.
This incident shows that cybercriminals are inclined to use modular, open-source malware components that enable them to form highly adaptable and evasive threats.
Although open-source tools’ transparency can assist in detection, they also diminish the barriers for malicious actors. Lastly, everyday users are the targets of such operations, as counterfeit login pages and malware offered as legitimate software jeopardise their bank accounts and digital assets.
