Incidents

Rogue AV raising the stakes

A couple of months I blogged about how the creators of rogue AV solutions are keeping a close eye on developments in the antivirus market. And my colleague Vyacheslav recently wrote a whole article about rogue AV which highlighted, among other things, the huge increase in this type of malware.

Last week I looked at some samples which showed that the bad guys behind this stuff are ratcheting their efforts up a notch. Here’s the GUI of Trojan.Win32.FraudPack.acji:

And here’s the product it’s imitating:

There are two points which attracted my attention:

  • The interface of the rogue AV is a very close copy of the genuine solution
  • The logo isn’t the same, but the rogue incorporates the Windows Security Center logo, and reinforces the perception that it’s a genuine product by using the name of a legitimate free AV solution.

In other words, the rogue AV guys are getting closer and closer to creating exact copies of real AV solutions, at least in terms of the GUI. This makes it much more difficult to determine at a glance whether or not a solution is rogue, for novices and more experienced users alike.

This example shows that maybe we’re not so far from the time when rogue AV solutions will visually be exact copies of legitimate security software. And with the FBI estimating losses caused by scareware at around $150 million dollars, the stakes are getting higher all the time.

Rogue AV raising the stakes

Your email address will not be published.

 

Reports

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox