A Catalog of Hazardous AV Sites – A Tale of Malware Hosting

May 24, 2024, 6:56 p.m.

Description

In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK, EXE and Inno setup installer that includes Spy and Stealer capabilities.

Date

  • Created: May 24, 2024, 6:32 p.m.
  • Published: May 24, 2024, 6:32 p.m.
  • Modified: May 24, 2024, 6:56 p.m.

Indicators

  • 45.138.16.85
  • 185.161.248.78
  • http://tirechinecarpett.pw/api
  • http://tolerateilusidjukl.shop/api
  • http://shortsvelventysjo.shop/api
  • http://productivelookewr.shop/api
  • http://shatterbreathepsw.shop/api
  • http://occupytapsessijk.pw/api
  • http://musclefarelongea.pw/api
  • http://ownerbuffersuperw.pw/api
  • http://liabilitynighstjsko.shop/api
  • http://freckletropsao.pw/api
  • http://incredibleextedwj.shop/api
  • http://fanlumpactiras.pw/api
  • http://alcojoldwograpciw.shop/api
  • http://demonstationfukewko.shop/api
  • tolerateilusidjukl.shop
  • tirechinecarpett.pw
  • shatterbreathepsw.shop
  • shortsvelventysjo.shop
  • occupytapsessijk.pw
  • ownerbuffersuperw.pw
  • productivelookewr.shop
  • musclefarelongea.pw
  • liabilitynighstjsko.shop
  • incredibleextedwj.shop
  • demonstationfukewko.shop
  • fanlumpactiras.pw
  • freckletropsao.pw
  • alcojoldwograpciw.shop

Attack Patterns

  • Spynot
  • Lumma
  • StealC