A deceptive campaign uses a fake Bitdefender download site to spread VenomRAT, StormKitty, and SilentTrinity malware for credential theft and persistent access. The attackers target individuals’ financial information and maintain stealthy control over compromised systems via modular open-source tools. #VenomRAT #StormKitty #SilentTrinity
Keypoints
- A fake website mimicking Bitdefender’s antivirus download page was used to distribute malware including VenomRAT, StormKitty, and SilentTrinity.
- VenomRAT provides initial and persistent access, StormKitty steals credentials rapidly, and SilentTrinity enables stealthy long-term control and data exfiltration.
- The campaign’s command and control infrastructure reused IPs and ports, linking multiple malware samples to the same threat actor.
- Phishing domains spoofing banks and IT services were used alongside the fake Bitdefender site to harvest credentials and cryptocurrency wallet information.
- The malware leverages open-source components, allowing for modular, adaptable, and stealthy attacks focused on financial gain.
- Multiple delivery sites and C2 IP addresses have been identified, including cloud storage services like Amazon S3 and code repositories such as Bitbucket and GitHub.
- Victims are advised to verify website authenticity and avoid entering credentials on suspicious pages to prevent compromise.
MITRE Techniques
- [T1071] Application Layer Protocol – Used HTTP/S to download malware payloads from fake websites and cloud storage (‘Download For Windows button initiates a file download from…bitbucket URL… redirects to Amazon S3’).
- [T1098] Account Manipulation – Attackers spoof legitimate banking and IT service domains to harvest credentials (‘Phishing domains impersonating banks and generic IT services’).
- [T1059] Command and Scripting Interpreter – Utilization of open-source post-exploitation frameworks SilentTrinity and StormKitty for stealthy persistence and credential harvesting (‘The bundled executable StoreInstaller.exe contained malware configurations associated with VenomRAT, SilentTrinity, and StormKitty’).
- [T1586] Compromise Infrastructure – Creation and operation of deceptive websites and multiple C2 servers to maintain control over infected systems (‘Malicious domain “bitdefender-download[.]com” and multiple C2 IPs like 67.217.228[.]160:4449’).
Indicators of Compromise
- [Domain] Phishing and delivery domains – bitdefender-download[.]com, idram-secure[.]live, royalbanksecure[.]online
- [IP Address] Command and Control servers – 67.217.228[.]160:4449, 172.93.222[.]102:4449, 185.208.159[.]121:6000
- [File Hash] Malicious files – BitDefender.zip SHA256: 59a08decb8b960b65afe4d5446ef0e00e3a49ab747599b5ee6e7d43813040287, StoreInstaller.exe SHA256: eb2b61a5f15b19bf7dd0ff3914d3019c26499dd693647b00c1b073037db72e35
- [URL] Malicious download links – https[:]//bitbucket[.]org/sadsafsadfsadf/dsfgdsgssdfgdsg/downloads/BitDefender.zip, https[:]//bbuseruploads.s3.amazonaws[.]com/9e2daa63-bae3-4cbb-9f88-8154ba43261f/downloads/aa7b9593-2ccd-4cd0-9e04-9b4a7da9276b/BitDefender.zip
Read more: https://dti.domaintools.com/venomrat/