警惕:假杀毒软件网站传播Android和Windows恶意软件

admin 2024年5月27日15:17:36评论15 views字数 3993阅读13分18秒阅读模式
警惕:假杀毒软件网站传播Android和Windows恶意软件

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices.

观察到威胁行为者利用假冒正规杀毒软件Avast、Bitdefender和Malwarebytes的网站传播恶意软件,这些恶意软件能够从Android和Windows设备中窃取敏感信息。

"Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan said.

网络安全研究人员Gurumoorthi Ramanathan表示:“通过看起来合法的网站托管恶意软件对普通消费者是有害的,特别是那些希望保护设备免受网络攻击的人。”

The list of websites is below -

以下是网站列表 -

  • avast-securedownload[.]com, which is used to deliver the SpyNote trojan in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency

    avast-securedownload[.]com,用于传送SpyNote特洛伊木马,形式为Android软件包文件(“Avast.apk”),一旦安装,请求读取短信消息和通话日志的侵入性权限,安装和删除应用程序,截取屏幕截图,跟踪位置,甚至挖掘加密货币

  • bitdefender-app[.]com, which is used to deliver a ZIP archive file ("setup-win-x86-x64.exe.zip") that deploys the Lumma information stealer malware

    bitdefender-app[.]com,用于传送ZIP存档文件(“setup-win-x86-x64.exe.zip”),部署Lumma信息窃取恶意软件

  • malwarebytes[.]pro, which is used to deliver a RAR archive file ("MBSetup.rar") that deploys the StealC information stealer malware

    malwarebytes[.]pro,用于传送RAR存档文件(“MBSetup.rar”),部署StealC信息窃取恶意软件

The cybersecurity firm said it also uncovered a rogue Trellix binary named "AMCoreDat.exe" that serves as a conduit to drop a stealer malware capable of harvesting victim information, including browser data, and exfiltrating it to a remote server.

该网络安全公司还发现了一个名为“AMCoreDat.exe”的恶意Trellix二进制文件,它充当一个通道,用于释放一种能够收集受害者信息(包括浏览器数据)并将其传输到远程服务器的窃取恶意软件。

It's currently not clear how these bogus websites are distributed, but similar campaigns in the past have employed techniques such as malvertising and search engine optimization (SEO) poisoning.

目前尚不清楚这些虚假网站是如何传播的,但过去类似的活动曾采用恶意广告和搜索引擎优化(SEO)中毒等技术。

Stealer malware have increasingly become a common threat, with cybercriminals advertising numerous custom variants with varying levels of complexity. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (aka Album Stealer or S1deload Stealer).
窃取恶意软件越来越成为一种常见威胁,网络犯罪分子推广多种定制变体,具有不同复杂程度。这包括新的窃取者,如Acrid、SamsStealer、ScarletStealer和Waltuhium Grabber,以及对现有窃取者的更新,如SYS01stealer(又名Album Stealer或S1deload Stealer)。
警惕:假杀毒软件网站传播Android和Windows恶意软件

"The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers," Kaspersky said in a recent report.

卡巴斯基在最近的一份报告中表示:“新的窃取者不时出现,结合它们的功能和复杂性存在很大差异,表明犯罪市场对窃取者有需求。”

Earlier this week, the Russian cybersecurity firm also detailed a Gipy malware campaign that capitalizes on the popularity of artificial intelligence (AI) tools by advertising a fake AI voice generator via phishing websites.

本周早些时候,俄罗斯网络安全公司还详细介绍了一个Gipy恶意软件活动,该活动利用人工智能工具的流行,通过虚假的人工智能语音生成器广告诱导钓鱼网站。

Once installed, Gipy loads third-party malware hosted on GitHub, ranging from information stealers (Lumma, RedLine, RisePro, and LOLI Stealer) and cryptocurrency miners (Apocalypse ClipBanker) to remote access trojans (DCRat and RADXRat) and backdoors (TrueClient).

安装后,Gipy加载托管在GitHub上的第三方恶意软件,包括信息窃取者(Lumma、RedLine、RisePro和LOLI Stealer)、加密货币挖矿者(Apocalypse ClipBanker)、远程访问特洛伊木马(DCRat和RADXRat)和后门(TrueClient)。

The development comes as researchers have discovered a new Android banking trojan called Antidot that disguises itself as a Google Play update to facilitate information theft by abusing Android's accessibility and MediaProjection APIs.

研究人员发现了一个名为Antidot的新的Android银行木马,它伪装成Google Play更新,通过滥用Android的可访问性和MediaProjection API来促进信息窃取。

"Functionality-wise, Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers," Broadcom-owned Symantec said in a bulletin.

Broadcom旗下的赛门铁克在一份公告中表示:“功能上,Antidot能够记录按键、覆盖攻击、短信外泄、截取屏幕、窃取凭证、设备控制,以及执行从攻击者接收的命令。”


参考资料

[1]https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.html


原文始发于微信公众号(知机安全):警惕:假杀毒软件网站传播Android和Windows恶意软件

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月27日15:17:36
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   警惕:假杀毒软件网站传播Android和Windows恶意软件https://cn-sec.com/archives/2782125.html

发表评论

匿名网友 填写信息