Cybersecurity researchers have disclosed a new malicious campaign that uses fake websites promoting Antivirus software to download a victim of Dupe, a remote access trojan called Venom Rat, from BitDefender.
The campaign “indicatively shows that it is intended to target individuals for financial interests by breaching their eligibility, crypto wallets and potentially selling access to the system,” the Domaintools Intelligence (DTI) team said in a new report shared with Hacker News.
The website in question is “BitDefender-DownLoad”[.]com, “Advertise visitors and download the Windows version of your antivirus software. Click on the famous “Download Windows for Windows” and it will start downloading files from the Bitbucket repository that will be redirected to your Amazon S3 bucket.
ZIP Archive (“Bitdefender.zip”) contains an executable called “storeinstaller.exe” that contains the malware configuration associated with the venom rat.
Venom Rat is a derivative of the Quasar rat with the ability to harvest data and provide permanent remote access to attackers.
Domaintools said the Decoy website where BitDefender shares temporary and infrastructure, overlaps with other malicious domains and popular IT services that are used as part of phishing activities to harvest login qualifications related to Canada’s Royal Bank and Microsoft.
“These tools work in concerts. Venomurat sneaks up, Stormkitty grabs passwords and digital wallet information, and Silent Trinity allows attackers to hide and maintain control,” the company said.
“This campaign highlights a constant trend. Attackers use sophisticated modular malware built from open source components. This ‘build malware’ approach makes these attacks more efficient, stealthy and adaptable. ”
This disclosure occurs when Sucuri uses Bogus Google Meet Pages to deceive users to install Noanti-Vm.bat Rat and warn them to install a very esoteric Windows batch script that allows remote control to the victim’s computer.
“This fake Google Meet page does not present a login form to directly steal your credentials,” said security researcher Puja Srivastava. “It instead employs social engineering tactics, presenting a fake “microphone permission denied” error, prompting the user to copy and paste certain PowerShell commands as “fixes.” ”
It also follows a surge in phishing attacks featuring highly sophisticated campaigns that are spoofing meta, leveraging Google’s Appsheet No-Code Development Platform.
“By leveraging cutting-edge tactics such as polymorphism identification factors, advanced intermediate proxy mechanisms and multi-factor authentication bypass technology, attackers aim to harvest credentials and two-factor authentication (2FA) code, Knowbe4 Threat Lab said in the report.
This campaign will deliver phishing emails at large to involve the use of Appsheet, allowing you to bypass email security defenses such as SPF, DKIM, DMARC, etc. due to the fact that the threat actors originated from a valid domain (“noreply@appsheet)[.]com “).
Additionally, the email comes from Facebook Support and claims it is using account deletion warnings to trick users into clicking on fake links under the pretext of sending appeals within 24 hours. The Booby trapped link is designed to guide victims to hostile (AITM) phishing pages and harvest credentials and two-factor authentication (2FA) codes.
“To further avoid detection and complicate remediation, attackers are leveraging Appsheets’ capabilities to generate unique IDs that are presented as case IDs in the body of the email,” the company said.
“The presence of a unique polymorphism identifier in each phishing email ensures that all messages are slightly different and can help bypass traditional detection systems that rely on static indicators such as hashes and known malicious URLs.”
Source link
