[PSA]: Cyber Actors clones Bitdefender’s AV for Windows with crypto stealer

[Dave1]

Cyber actors recently clone a famous anti-virus software, Bitdefender as reported.



As you can see, it's very hard to distinguished what's real or what's fake visually. The only difference is that the real Bitdender website uses the word "free" often as compare to the fake site.

The fake URL is:

Code:

https[:]//bitbucket[.]org/sadsafsadfsadf/dsfgdsgssdfgdsg/downloads/BitDefender.zip

And it contains malware stealer  VenomRAT + SilentTrinity and StormKitty.

The inclusion of SilentTrinity and StormKitty (both open-source malware tools) indicates the attacker’s dual focus: rapidly harvesting financial credentials and crypto wallets during initial access, while also establishing stealthy, persistent access for potential long-term exploitation. The implications of long term access may include repeat compromise or selling access.

https://dti.domaintools.com/VenomRAT/

So it's really a dangerous world out there. Specially that cyber actors are now duplicating this anti-virus software and we might take our guard down thinking that we are downloading from the real site.

And then later on loss our crypto because we unfortunately didn't verify everything first.

We really need to be very vigilant moving forward as criminals groups are increasing their attacks with sophistication to steal from us.

[Japinat]

Another successful attempt again. There are so many cases like this but it’s nothing new. We just really need to verify things.

Even before, a lot of people got scammed with that fake Electrum app. Now it’s antivirus? Feels like every app these days could be risky. Gotta be  careful with what we install.

As for me, I don’t use any of that stuff. I’m a Windows user, and I just stick with Windows Defender. I even read a post here before someone said they don’t use antivirus at all, just really careful with browsing and downloads.

[Cricktor]

Verify the websites from where you initiate downloads! That should be common security practice. If you're not sure, don't use or download. Seriously, who downloads any anti-virus software from such a repository URL? Always check the legitimacy of download sources.

And what about the cloned fake Bitdefender website? The fake website domain is what specifically? Report fake websites that distribute malware!

[joniboini]

If I remember correctly, other articles explain how these scammers run a phishing campaign through ads, malicious pop-ups on regular websites, or emails to spread the fake website, including this Bitdefender clone. It shouldn't be that hard to avoid if you know that most ads contain malware and you don't download or copy random files from another device.

[btc_angela]

If I remember correctly, other articles explain how these scammers run a phishing campaign through ads, malicious pop-ups on regular websites, or emails to spread the fake website, including this Bitdefender clone. It shouldn't be that hard to avoid if you know that most ads contain malware and you don't download or copy random files from another device.

True, but if this ads keeps popping on the first page of Google, this criminals are betting that someone will fall for the trick of clicking it and then downloading the zip file that contains this malware.

So in a sense Google has this responsibility, but we all know that it's all about the money. If the criminals have paid them to put their ads on the first page, then it's all  go for them. The best weapon for us is to be self aware and educate ourselves with this kind of attacks.

[promise444c5]

I don't really trust windows AV anyway ..  but is this new again because there was some similar activity before where hackers were hosting malwares through Bitbucket and your thread seem to be saying it as well ..  found the
Research Blog from Cybereason. Although the article seems to be pointing to a new method...

Seriously, who downloads any anti-virus software from such a repository URL?

They were just the host(bitbucket).. there will probably be another domain initiating the download from the URL mentioned by OP using:

Code:

https://bitbucket.org/{username}/{repository}/get/<zip>

i'm not sure whatever might happen from there maybe a file is downloaded that probably have an execution to download from the other source but the article says "redirects" (which i don't really get)..

[Trêvoid]

Only download antivirus software from the official websites and always verify the URL before installing anything.

[Lucius]

Only download antivirus software from the official websites and always verify the URL before installing anything.

If at least the majority would stick to the rule of always checking whether they are on a legitimate website and not downloading any suspicious files, various "hackers" would have lost their jobs a long time ago. People are simply careless, uneducated and rash, which is a perfect combination for hackers.

By the way, on one occasion I tried the mentioned AV, and it was one of the worse ones I've tried, not only in terms of functionality, but also in terms of uninstallation.

[joniboini]

So in a sense Google has this responsibility, but we all know that it's all about the money. If the criminals have paid them to put their ads on the first page, then it's all  go for them. The best weapon for us is to be self aware and educate ourselves with this kind of attacks.

To be fair to them, they do take down malicious ads. I remember reading somewhere that they took down 2 million fake apps and ads last year. I can't verify the numbers, but it's not a huge surprise since they're more or less the biggest company that handles marketing for many companies. Fortunately, using an ad blocker can easily solve this, on top of having enough knowledge to spot malicious ads. It's in their best interest to make sure their platform won't be riddled with scammers anyway, so that's that.

[rdluffy]

Only download antivirus software from the official websites and always verify the URL before installing anything.

A big problem is teaching a slightly more lay user to check whether the site is official or not and it can be quite confusing to know whether it is or not
What I always recommend to people is to check X and Discord for official links, but not everyone has the patience to do this with all the apps they use

Even so, there is a small possibility that the social networks may have been hacked and directed you to a malicious link 

And sometimes they made the url very similar to official link