Brand impersonation via Google Ads misleads users who search for Google Authenticator into downloading DeerStealer malware. The malware exfiltrates personal data to attacker-controlled sites and is hosted on GitHub, exploiting trust in trusted platforms. #DeerStealer #GoogleAuthenticator
Keypoints
- Brand impersonation in Google ads misleads users into downloading malware.
- Users searching for Google Authenticator encountered a fraudulent ad.
- The fake site was registered on the same day as the ad appeared.
- Malware hosted on GitHub, exploiting trust associated with the platform.
- The malware, DeerStealer, exfiltrates personal data to an attacker-controlled site.
- Users are advised to avoid clicking on ads for software downloads and to visit official repositories directly.
- Malwarebytes blocks access to the fake site and detects the payload as Spyware.DeerStealer.
MITRE Techniques
- [T1566] Phishing β Threat actors used Google ads to trick users into visiting a malicious site. βThreat actors used Google ads to trick users into visiting a malicious site.β
- [T1203] Malicious File β Users downloaded a malicious executable disguised as Google Authenticator. βUsers downloaded a malicious executable disguised as Google Authenticator.β
- [T1041] Data Exfiltration β DeerStealer malware exfiltrates personal data to an attacker-controlled website. βDeerStealer malware exfiltrates personal data to an attacker-controlled website.β
Indicators of Compromise
- [Domain] Malicious domains β vcczen[.]eu, tmdr7[.]mom, chromeweb-authenticators[.]com
- [Hash] Payload (stealer) β 5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737
- [C2] Command and Control β vaniloin[.]fun
- [Filename] Malware payload filename β Authenticator.exe