Fake Avast Website Delivers Venom Stealer Through Bogus Virus Scan
In a brazen phishing attack, cybercriminals are masquerading as Avast antivirus to trick users into downloading Venom Stealer, a ruthless malware that pilfers passwords, cookies, and crypto wallets.
The fake website mimics Avast’s trusted interface, runs a bogus virus scan, and scares victims into “fixing” phantom threats with a poisoned download. This classic scare-and-fix ploy exploits fear and brand trust, turning good intentions into a digital disaster.
The phishing page perfectly mimics Avast’s look, sleek navigation, logo, and fake badges. Users click to scan, watch a dramatic animation, and get a scripted result: “3 threats found, 3 removed.” It even names a phony detection like Trojan: Win32/Zbot.AA!dll for realism. Panicked, victims download Avast_system_cleaner.exe, the malware payload.
This 2MB 64-bit Windows executable (SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d; MD5: 0a32d6abea15f3bfe2a74763ba6c4ef5) copies itself to C:\Program Files\Google\Chrome\Application\v20svc.exe, posing as a Chrome service.
Launched with the flag –v20c, it evades glances in the Task Manager. A PDB artifact (crypter_stub.pdb) reveals crypter packing, dodging 73% of VirusTotal engines.
YARA rules tie it to Venom Stealer, an evolved version of the Quasar RAT that has been sold underground since 2020. It’s a data thief supreme, targeting browsers and wallets.
Once active, Venom Stealer raids high-value targets. It extracts credentials and cookies from Chrome, Edge, and Firefox, snagging sessions for Netflix, Facebook, LinkedIn, and more. Analysis showed JSON payloads with stolen Edge/Chrome cookies, even bypassing 2FA via hijacked sessions. It hits Firefox’s cookies .sqlite-shm directly.
Crypto users beware: It hunts desktop wallets. Extras include desktop screenshots (Temp\screenshot_5sIczFxY95t2IQ5u.jpg), session logs (Microsoft\fd1cd7a3\sess), and a decoy NTUSER.dat in C:\Users\Public.
Data beams to C2 at app-metrics-cdn[.]com (104.21.14.89, Cloudflare-hosted) over plain HTTP, mimicking analytics traffic. Steps: POST to /api/upload (140KB files), /api/upload-json (29KB credentials), /api/upload-complete, then heartbeats at /api/listener/heartbeat. Generic user-agents blend it in.
Venom doesn’t quit easily. It uses direct syscalls to bypass ntdll.dll and blind EDR tools, checks for debuggers/VMs, queries CPU info, sets guard pages, and sleeps for over 3 minutes. Process enumeration and volume serial reads thwart sandboxes.
This echoes a May 2025 Bitdefender clone pushing Venom RAT and StormKitty (per DomainTools). Security impersonation preys on urgency.
Stick to official sites like avast.com. Suspicious? Hunt v20svc.exe in Chrome’s folder. Scan with Malwarebytes, change passwords (email/banking first), log out everywhere, and move crypto to a fresh wallet.
Indicators of Compromise (IOCs)
- Hashes: SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d
- Domain: app-metrics-cdn[.]com
- IP: 104.21.14.89
- C2 Paths:
- http://app-metrics-cdn[.]com/api/upload
- http://app-metrics-cdn[.]com/api/upload-json
- http://app-metrics-cdn[.]com/api/upload-complete
- http://app-metrics-cdn[.]com/api/listener/heartbeat
Site: cybersecuritypath.com
About the Author
