The DeerStealer distribution campaign spreads via fake Google Authenticator websites, capturing user information and delivering a Delphi-based stealer hosted on GitHub. The operation uses a Telegram bot for data collection, employs obfuscation to hinder analysis, and appears linked to prior malware families, suggesting a common author. #DeerStealer #XFiles
Keypoints
- DeerStealer is distributed through fake Google Authenticator sites.
- The first site mimics a legitimate Google page to entice downloads.
- Visitor information (IP address and country) is sent to a Telegram bot after clicking Download.
- The stealer is hosted on GitHub and written in Delphi.
- Malware communicates with a C2 server using encrypted data.
- Comparison with XFiles malware suggests potential common authorship.
- ANY.RUN provides tools for analyzing malware behavior and threat intelligence.
MITRE Techniques
- [T1566] Phishing – DeerStealer is distributed through fake Google Authenticator websites. “DeerStealer is distributed through fake Google Authenticator websites.”
- [T1071] Command and Control – Malwae is observed communicating with a C2 server, sending stolen data. “Malware communicates with a C2 server, sending stolen data.”
- [T1022] Data Encrypted – Data sent to the C2 server is encrypted using single-byte XOR encryption. “Data sent to the C2 server is encrypted using single-byte XOR encryption.”
- [T1027] Obfuscated Files or Information – The malware employs obfuscation techniques to hinder analysis. “The malware employs obfuscation techniques to hinder analysis.”
Indicators of Compromise
- [Hash] Hashes – 4640d425d8d43a95e903d759183993a87bafcb9816850efe57ccfca4ace889ec, 569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d (and 8 more hashes)
- [Domains] Domains – paradiso4[.]fun, authenticcator-descktop[.]com, authentificatorgogle[.]com (and 4 more domains)
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/deerstealer-campaign-analysis/