Fake antivirus websites try to trick victims with malware
Trellix has discovered several fake antivirus websites. The criminal operators use them to distribute malware.
The search returns spam, malware and scams.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
People searching for antivirus programs could end up on fake websites. The antivirus specialists at Trellix - the former business division of McAfee belongs to the company - warn that criminals are using them to distribute malware instead of the protection software they are looking for.
(Image: trellix.com)
In mid-April, members of Trellix's Advanced Research Center tracked down several fake antivirus websites. They contained very sophisticated, malicious files as .apk, .exe or installers created by the Inno setup system. Their functions include espionage and theft. They were apparently aimed at end users in general who were looking for protection for their devices.
Fake pages imitate websites of genuine antivirus software
The fake websites copy the look of the original website. However, they deliver malware instead of the sought-after device protection software, some of whose file names directly match the fake company: Accordingly, an Avast.apk was lurking on avast-securedownload[.]com, bitdefender-app[.]com delivered setup-win-x86-x64.exe.zip and malwarebytes[.]pro finally delivered an MBSetup.rar. Without mentioning associated URLs, such websites also distributed a fake Trellix binary named AMCoreDat.exe.
According to the Trellix analysis, the APK file with the Avast name has the ability to install and delete packages after installation on the smartphone. The malware can also read call logs, text messages, saved data and the phone status and finally access and change the network and Wi-Fi status as well as record sound. It can take screenshots and comes with a crypto-miner and a location tracker. The supposed Bitdefender file contains the advanced Lumma stealer. This injects itself into the system's BitLockerToGo.exe and exfiltrates information. The malware on the fake Malwarebytes page, on the other hand, contains the StealC malware. It also steals information, but also access and Steam tokens. The fake Trellix software sends information about the PC - name, user name, memory, running processes, log-in data, browser and browser history, cookies and tokens - to the command and control server (C2C).
Finally, the virus analysts also provide indications of infection (Indicators of Compromise, IOCs) for the malware and the C2C servers. The websites mentioned are currently not accessible. Web browsers such as Chrome or Firefox also warn of fraudulent or dangerous websites when they are accessed.
(dmk)