Crooks Use Fake Antivirus Site to Spread Venom RAT and Malware
Researchers at DomainTools Intelligence have uncovered a sophisticated phishing campaign that uses a fake Bitdefender website to spread the highly malicious Venom RAT remote access trojan (RAT) and a mix of malware. The fake site, "bitdefender-download[.]com," was designed to trick unsuspecting users into downloading the antivirus software, only to unleash a arsenal of malicious tools on their systems.
"A malicious campaign using a fake website to spread Venom RAT, a Remote Access Trojan (RAT), is detailed in this analysis. The malware includes tools for password theft and stealthy access," reads the report published by DomainTools. "This research examines the attackers' methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems."
The Venom RAT: A Tool of Malicious Intent
The Venom RAT is a highly sophisticated piece of malware designed to steal passwords, cryptocurrency wallets, and sell system access for financial gain. It supports remote control, credential theft, keylogging, and data exfiltration, making it a formidable tool in the hands of malicious actors.
According to DomainTools researchers, multiple Venom RAT samples likely came from the same attacker, based on shared details like the same C2 server at IP 67.217.228[.]160 on port 4449. This suggests that the attackers are using a modular approach to their malware, building it from open-source components to create a highly adaptable and efficient attack vector.
The Role of StormKitty and SilentTrinity
In this campaign, attackers also used StormKitty to quickly steal credentials and SilentTrinity for stealthy, long-term access. StormKitty is an open-source stealer that can be used to extract sensitive information from compromised systems, while SilentTrinity is a post-exploitation framework designed to provide persistent, stealthy access to victim systems.
Together, these tools suggest that the attackers' goals are not only immediate financial gain but also long-term system control for future use or resale. This underscores the importance of vigilance and awareness among internet users, who are often the primary victims of such attacks.
The Importance of Awareness
DomainTools notes that this campaign highlights a constant trend in cybercrime: attackers using sophisticated, modular malware built from open-source components to create highly adaptable and efficient attack vectors. While security experts may be able to spot these tools more quickly due to their open-source nature, the primary victims here are everyday internet users.
"These criminals are after your hard-earned money, targeting your bank accounts and cryptocurrency wallets with fake login pages and malware disguised as safe software," concludes the report. "It's essential to stay informed and vigilant, especially when it comes to antivirus software and online security."
Indicators of Compromise
The full report provides a comprehensive overview of the malicious campaign, including indicators of compromise (IoC) for security professionals. These IoC include the fake Bitdefender website, the C2 server IP address, and other command infrastructure used by the attackers.
By staying informed and aware of such attacks, we can better protect ourselves against the ever-evolving threat landscape. Follow us on Twitter: @securityaffairs, Facebook, and Mastodon for the latest news and updates on cybersecurity.