A Catalog of Hazardous AV Sites – A Tale of Malware Hosting

Researchers observed fake AV sites hosting APK/EXE and Inno installer files with spy/stealer capabilities, targeting consumers who trust legitimate-looking pages. The campaigns center on Avast-securedownload.com, bitdefender-app.com, malwarebytes.pro, and a malicious Trellix binary (AMCoreDat.exe) masquerading as legitimate software to exfiltrate data. #Avast #Bitdefender #Malwarebytes #Spynote #StealC #LummaStealer #AMCoreDat #C2C

Keypoints

Fake AV sites host sophisticated malware payloads (APK, EXE, Inno installer) with spy/stealer capabilities for Android and Windows.
Three host sites—avast-securedownload.com, bitdefender-app.com, malwarebytes.pro—deliver named files (Avast.apk, setup-win-x86-x64.exe.zip, MBSetup.rar).
A malicious Trellix binary, AMCoreDat.exe, pretends to be legitimate and is analyzed for obfuscation and its data-exfiltration role.
Bitdefender-app.com delivery uses TLS callbacks and obfuscated strings, injects into BitLockerToGo.exe, and employs anti-debugging checks (IsDebuggerPresent).
MBSetup.rar distributes StealC with .NET and C++ payloads, leveraging a C2C at 185.161.248.78 and exfiltrating credentials, tokens, and browser data.
Exfiltration is compressed with gzip and sent to C2C; an event HAL9TH_ComputerName_UserName is used to avoid duplicate submissions.
The infrastructure includes C2C servers and a range of domains/IPs, indicating a multi-faceted exfiltration and loader operation.

MITRE Techniques

[T1189] Drive-by Compromise – The site is hosting Avast.apk when we try to click any of the links there. Quote: “The site is hosting “Avast.apk” when we try to click any of the links there.”
[T1036.005] Masquerading – Files appear as legitimate software (Avast.apk, MBSetup.rar, setup-win-x86-x64.exe.zip) to mislead users. Quote: “Seeing the filename with double extension before extension and since the legitimate software never downloads the file with double extensions, we became curious to investigate this file more.”
[T1027] Obfuscated/Compressed Files and Information – TLS callback and obfuscated strings decoded before main execution. Quote: “The file has a TLS callback where it can perform its activity before going to the Entry Point of the file. This is where all the obfuscated strings were decoded as shown below.”
[T1055] Process Injection – Payload injected into BitLockerToGo.exe via thread-suspend-resume. Quote: “injecting into BitLockerToGo.exe… by creating thread-suspend-resume.”
[T1056] Input Capture – Touch/interaction data collected (screen touches and coordinates). Quote: “Identifying position of screen touches.”
[T1113] Screen Capture – Taking a screenshot as part of data collection. Quote: “Taking a screenshot.”
[T1123] Audio Capture – Audio recorder and touch activity logger used to monitor user actions. Quote: “Audio recorder & touch activity logger.”
[T1555.003] Credentials from Web Browsers – Stealer targets browser data and credentials (User Data, Local DB, autofill, cookies). Quote: “Credentials from the browser ‘User Data’ folder, Local DB and autofill” and “Cookies from the browser.”
[T1041] Exfiltration Over C2 Channel – Exfiltrated data compressed with gzip and sent to C2C. Quote: “All the exfiltrated contents have been compressed in gzip to send it to the C2C server.”
[T1071.001] Web Protocols – C2C infrastructure used to communicate with attacker-controlled servers. Quote: “C2C servers” and references to C2C endpoints.

Indicators of Compromise

[MD5] 6103676bd7647fdde675acd3ea9fb92f – Avast.apk – Spynote
[MD5] 15d4539dfdbd297d19e859551e1ea648 – MBSetup.rar – StealC
[MD5] 1a3657ef519e3d20930f400dd781dbb2 – setup-win-x86-x64.exe – Lumma Stealer
[MD5] a76529cfb85956fa07f896b957c34c34 – AMCoreDat.exe – Lumma Stealer
[Domain] avast-securedownload.com – fake Avast site hosting Avast.apk
[Domain] bitdefender-app.com – fake Bitdefender site hosting the download
[IP] 45.138.16.85:7544 – C2C Spynot server
[IP] 185.161.248.78 – C2C Lumma server
[Domain] alcojoldwograpciw.shop/api – C2C endpoint listed in exchange with the payloads

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print