Bogus Avast website fakes virus scan, installs Venom Stealer instead

MITRE Techniques

• [T1036.005 ] Masquerading – The binary is named and placed to look like a legitimate Chrome component to avoid casual inspection: ‘copies itself into a location designed to blend in with legitimate software: C:Program FilesGoogleChromeApplicationv20svc.exe.’
• [T1027.002 ] Software Packing – The sample was packed with a crypter to evade signature detection: ‘the PDB path reads crypter_stub.pdb, indicating the executable was packed using a crypter.’
• [T1204.002 ] User Execution: Malicious File – The attack relies on a user downloading and executing a deceptive installer presented as a fix: ‘the victim is then prompted to download the cure: a file called Avast_system_cleaner.exe.’
• [T1555.003 ] Credentials from Web Browsers – The malware harvests stored browser credentials and cookies from browser files and process memory: ‘Behavioral analysis confirms the malware harvests saved credentials and session cookies.’
• [T1539 ] Steal Web Session Cookie – Stolen session cookies for many services were observed in memory, enabling session hijacking: ‘Process memory also contained fully-formed JSON structures with stolen cookie data… including active sessions for Netflix, YouTube, Reddit, Facebook…’
• [T1113 ] Screen Capture – The stealer captures the victim’s desktop as evidence or additional data: ‘it captures a screenshot of the victim’s desktop, saved temporarily as C:UsersAppDataLocalTempscreenshot_5sIczFxY95t2IQ5u.jpg.’
• [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP) – Stolen data and telemetry are exfiltrated over plain HTTP to C2 endpoints: ‘A multipart form-data POST to /api/upload… a second POST to /api/upload-json… confirmation POST to /api/upload-complete.’
• [T1041 ] Exfiltration Over Command and Control Channel – The campaign uses a C2 domain for structured data theft and periodic heartbeat checks: ‘exfiltrated to a single command-and-control domain: app-metrics-cdn[.]com… the malware then enters a heartbeat loop, periodically checking in at /api/listener/heartbeat.’
• [T1106 ] Native API (Direct System Calls) – The malware invokes kernel functions directly to evade user-mode hooks and endpoint detection: ‘use of direct and indirect system calls… invokes Windows kernel functions directly rather than routing through the standard ntdll.dll library.’
• [T1497 ] Virtualization/Sandbox Evasion – The sample performs environment checks and anti-debugging to detect analysis environments: ‘The malware also checks whether it is being debugged, queries CPU vendor and model information, reads the volume serial number… creates guard pages in memory… and enumerates running processes.’
• [T1057 ] Process Discovery – The malware enumerates running processes as part of its anti-analysis and environment discovery routines: ‘enumerates running processes.’