Counterfeit Bitdefender Site Distributes Trio of Malicious Software Tools

A spoofed website masquerading as Bitdefender has been exploited in a cyber campaign to disseminate multiple malware tools, including VenomRAT. This malicious initiative aims to grant attackers extensive and unauthorized access to victims’ systems.

The fraudulent site, labeled “DOWNLOAD FOR WINDOWS,” is a deceptive replica of Bitdefender’s authentic antivirus download page but ultimately redirects users to harmful files hosted on platforms such as Bitbucket and Amazon S3.

The downloaded package features an executable file, StoreInstaller.exe, which sets off the infection sequence. Investigators have identified that this executable is bundled with elements from three distinct malware families: VenomRAT, StormKitty, and SilentTrinity.

Modular Malware Strategy

As per the findings from DomainTools, which uncovered this offensive, the operation employs a multifaceted strategy for compromise with each malware serving a specific purpose:

– VenomRAT: Provides remote and persistent access to the compromised system.
– StormKitty: Collects user credentials and cryptocurrency wallet information.
– SilentTrinity: Supports covert data exfiltration and long-term system control.

This combination enables attackers to operate swiftly yet discreetly. The employment of SilentTrinity and StormKitty, both open-source solutions, indicates that the attackers are not solely interested in immediate exploits but may seek prolonged access for potential sales of the compromised systems.

VenomRAT originates from the Quasar RAT project and includes functionalities like keylogging, credential theft, and remote command execution (RCE). The malware samples associated with this operation exhibit similar configurations, particularly the reuse of command-and-control (C2) IP addresses such as 67.217.228[.]160:4449 and 157.20.182[.]72:4449.

Cyber analysts have traced additional VenomRAT samples and corresponding IPs by matching Remote Desktop Protocol (RDP) configurations, which revealed further infrastructure likely operated by the same threat actors.

Impersonation of Financial Institutions

In addition to the counterfeit antivirus site, researchers have uncovered several phishing domains that impersonate legitimate banks and IT service providers, including:

– idram-secure[.]live, replicating the Armenian IDBank
– royalbanksecure[.]online, mimicking the Royal Bank of Canada
– dataops-tracxn[.]com, posing as a Microsoft login page

These domains exhibit coinciding timing and structural similarities, reinforcing the notion of a coordinated, financially motivated campaign.

Implications of Open-Source Cyber Tools

The reliance on open-source malware underscores the increasing accessibility of cybercriminal operations. By leveraging existing frameworks, attackers can swiftly construct adaptable and effective malware kits. While this trend may assist cybersecurity professionals in recognizing attack patterns, it also accelerates the potential volume and speed of cyber threats.

Experts advise users to remain vigilant, verify the sources of downloads, refrain from inputting credentials on suspicious sites, and exercise caution with links and attachments found in emails.