Security News > 2023 > March > Winter Vivern APT hackers use fake antivirus scans to install malware
Sentinel Labs has previously seen spreadsheet files with malicious macros that launch PowerShell being dropped on cloned sites used by the APT. Deploying fake virus scanners.
One example of Winter Vivern's resourcefulness in the Sentinel Labs report is the use of Windows batch files to impersonate antivirus scanners while, in reality, downloading malicious payloads.
As you can see from the batch files below, the malicious files will pretend to perform an antivirus scan, showing a running percentage of time left, while quietly downloading a malicious payload using PowerShell.
The malware is hosted on compromised WordPress websites, which are commonly used for malware distribution campaigns.
The Aperetif malware is capable of automatic file scanning and exfiltration, taking screenshots and sending all data in a base64-encoded form to a hardcoded command and control server URL. Sentinel Labs has recently spotted a new payload used by Winter Vivern, which appears to be similar in functionality to Aperefit, but it features an incomplete design, indicating that it's a work in progress.
In conclusion, Winter Vivern is a group that uses a relatively simplistic yet effective approach to lure its targets into downloading malicious files.
News URL
Related news
- Magnet Goblin hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites (source)
- Russian Hackers May Have Targeted Ukrainian Telecoms with Upgraded 'AcidPour' Malware (source)
- Russian hackers target German political parties with WineLoader malware (source)
- Russian Hackers Use 'WINELOADER' Malware to Target German Political Parties (source)