Research

Fake AV business alive and kicking

Since June 2011 we have seen a substantial decrease in the number of fake antivirus programs. Right now we are observing 10 000 daily attempts to infect users with Trojan-FakeAV; back in June the figures were 50-60,000.

The daily number of attempted infections using Trojan-FakeAV in the past 5 months

Nevertheless, new versions of this type of malware continue to emerge. As a result, the new Trojan-FakeAV.Win32.OpenCloud family has recently been added to the malware hit list.

A screenshot of Trojan-FakeAV.Win32.OpenCloud.h in action

The above screenshot shows how some standard Windows files – including notepad, wmplayer, paint, calc, explorer etc. – were identified as “malicious” by a fake antivirus. In this way the fake antivirus makes itself conspicuous. Interestingly, it also mentions cloud protection, apparently trying to take advantage of a fashionable new concept. If the user is conned into buying this fake software, there’s another scam in store. In the center of the screen the price is quoted at $52.95, but in the small print this creeps up to $72.85 for so-called “lifelong” protection.

Trojan-FakeAV.Win32.OpenCloud.h’s payment window

We used WireShark to monitor the payment site for the fake antivirus. The screenshot below demonstrates that data is sent to the URL ******online.com. It includes information about the operating system installed (6.0.2900), the ID (8779) of the partner who will take a cut, and other info.

A screenshot from WireShark – a traffic interception tool

According to the service Whois, the payment site ******online.com was registered in Russia in the name of Denis Verdanskiy on 10 May 2011.

We discovered an affiliate program called “Money Racing AV” at the IP address specified in the information about the NS server of the host in question. Using a search engine, we found some information about this affiliate program on a Russian underground forum.

An announcement in Russian about the Money Racing AV affiliate program

In this announcement, the cybercriminals invite users to distribute FakeAV for $25 every time the fake antivirus is installed and paid for. The proposed deal is a just over one third of the total price paid by the user. The rest of the money seems to go to the owners of the affiliate program, who provide the fake antivirus, the online payment interface and handle the transaction.

It’s clear that successful cybercrime gangs are still distributing rogue AVs, even though this market is experiencing a sharp decline. So, if you see notifications about “Windows errors” or “system infections”, proceed with caution. Don’t pay for any solution arriving unannounced over the Internet and make sure you install a genuine security product.

Fake AV business alive and kicking

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox