Fake Avast Scan Site Deploys Venom Stealer, Targeting Users with Credential‑Stealing Malware
What Happened — A counterfeit website mimicking Avast antivirus offers a fake “virus scan” that always reports infections. When users click to “fix” the issues, the site delivers a malicious executable (Avast_system_cleaner.exe) which installs the Venom Stealer malware, capable of harvesting passwords, session cookies, and cryptocurrency wallet data. Why It Matters for TPRM — • The scam abuses a trusted security brand, increasing user trust and likelihood of infection. • Venom Stealer can exfiltrate credentials that grant attackers lateral movement into corporate networks. • Low detection rates (≈27 % on VirusTotal) mean many endpoint protections may miss the payload.
Who Is Affected — All organizations with Windows endpoints, especially those that rely on third‑party antivirus solutions or allow users to download utilities from the web. Sectors most at risk include finance, healthcare, SaaS, and government.
Recommended Actions — • Instruct users to obtain security tools only from official vendor sites. • Deploy web‑filtering rules to block known malicious domains impersonating security brands. • Ensure endpoint detection and response (EDR) solutions are updated to detect Venom Stealer signatures. • Conduct credential‑rotation and monitor for anomalous authentication activity.
Technical Notes — Attack vector: phishing‑style scare‑ware website. No CVE involved. Payload: 64‑bit Windows PE (≈2 MB) packed with a crypter, drops as C:\Program Files\Google\Chrome\Application\v20svc.exe and runs with --v20c. Malware family: Venom Stealer (Quasar RAT descendant), steals browser credentials, session cookies, crypto wallets. Detection: only 27 % of AV engines flagged on VirusTotal. Source: Malwarebytes Labs