CRIL uncovered a phishing campaign that mimics Google’s Safety Centre to push malware. The fake Google Authenticator downloader installs Latrodectus and ACR Stealer, which exfiltrate data and use advanced evasion techniques to avoid detection. #Latrodectus #ACRStealer #DeadDropResolver #GoogleSafetyCentre #GoogleAuthenticator
Keypoints
- Phishing Campaign: A fraudulent website mimicking Google Safety Centre is used to deceive users.
- Malware Distribution: Users are tricked into downloading a malicious file named “GoogleAuthSetup.exe.”
- Malware Types: The downloaded file installs two malware variants: Latrodectus and ACR Stealer.
- ACR Stealer: Uses Dead Drop Resolver (DDR) to hide its C&C server details.
- Latrodectus: Actively developed with updated encryption and new commands for enhanced capabilities.
- Infection Chain: The malware operates stealthily, displaying fake error messages to mislead victims.
- Targeted Applications: ACR Stealer targets various applications, including web browsers and password managers.
- Recommendations: Users should download apps only from official sources and be cautious with ads.
MITRE Techniques
- [T1566] Phishing – Phishing website hosted a malicious binary as a legitimate application. ‘Phishing website hosted a malicious binary as a legitimate application’
- [T1027.002] Obfuscated Files or Information: Software Packing – Payload is encrypted inside the Resource section. ‘Payload is encrypted inside the Resource section’
- [T1106] Native API – The NtCreateUserProcess() API is used to create a child process. ‘The NtCreateUserProcess() API is used to create a child process’
- [T1053.005] Scheduled Task/Job: Scheduled Task – Sets scheduled tasks using COM Object. ‘Sets scheduled tasks using COM Object’
- [T1070.004] Indicator Removal: File Deletion – Deletes itself from Temp dir. ‘Deletes itself from Temp dir’
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – Loads DLLs during runtime. ‘Loads DLLs during runtime’
- [T1082] System Information Discovery – Checks for Windows version and running processes. ‘Checks for Windows version and running processes’
- [T1071.001] Application Layer Protocol: Web Protocols – Communicates to C&C over HTTP. ‘Communicates to C&C over HTTP’
- [T1119] Automated Collection – Collects Cryptocurrency wallet information. ‘Collects Cryptocurrency wallet information’
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Tries to collect credentials from browsers. ‘Tries to collect credentials from browsers’
- [T1555.005] Credentials from Password Stores: Password Managers – Tries to steal credentials from password managers. ‘Tries to steal credentials from password managers’
Indicators of Compromise
- [SHA-256] context – GoogleAuthSetup.exe, Latrodectus, and ACR Stealer payloads. 62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830, 81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb
- [URL] context – C&C and distribution links: hxxps://spikeliftall[.]com/live/, hxxps://godfaetret[.]com/live/, and 1 more URL hxxps://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d
- [Domain] context – Phishing site domain googleaauthenticator[.]com