cyble.com Open in urlscan Pro
192.0.78.152  Public Scan

URL: https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phis...
Submission: On August 20 via api from IN — Scanned from DE

Form analysis 3 forms found in the DOM

GET https://cyble.com/

<form role="search" method="get" class="search-form" action="https://cyble.com/" data-cb-wrapper="true">
  <label for="search-field">
    <span class="screen-reader-text">Search for:</span>
    <input type="search" id="search-field" class="search-field" placeholder="Search..." value="" name="s" tabindex="-1">
  </label>
</form>

POST https://wordpress.com/email-subscriptions

<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-cb-wrapper="true">
  <div class="wp-block-jetpack-subscriptions__form-elements">
    <p id="subscribe-email">
      <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
      <input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
    </p>
    <p id="subscribe-submit">
      <input type="hidden" name="action" value="subscribe">
      <input type="hidden" name="blog_id" value="221651828">
      <input type="hidden" name="source" value="https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/">
      <input type="hidden" name="sub-type" value="subscribe-block">
      <input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
      <input type="hidden" name="redirect_fragment" value="subscribe-blog">
      <input type="hidden" name="lang" value="en_US">
      <input type="hidden" id="_wpnonce" name="_wpnonce" value="4a5dfc7cd4"><input type="hidden" name="_wp_http_referer" value="/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/"><input
        type="hidden" name="post_id" value="54404"> <button type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;"
        name="jetpack_subscriptions_widget"> Subscribe <span class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
            <path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
            <path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
          </svg></span></button>
    </p>
  </div>
</form>

<form id="jp-carousel-comment-form" data-cb-wrapper="true">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
</form>

Text Content

Cyble recognized in Forrester's Attack Surface Management Solutions Landscape
Report Q2.2024. Download Now



Skip to content
 * World Agricultural Cycling Competition (WACC) Participants Targeted for Havoc
   C2 Dissemination

Report an Incident

Talk to Sales

We are Hiring!

Search for:
Search
Login
Login
 * ProductsMenu Toggle
   * For Enterprises(B2B) and GovernmentsMenu Toggle
     * AI-Native Cybersecurity Platforms
     * Cyble VisionFor Enterprises
       Award-winning cyber threat intelligence platform, designed to provide
       enhanced security through real-time intelligence and threat detection.
     * Cyble HawkFor Federal Bodies
       Protects sensitive information and assets from cyber threats with its
       specialized threat detection and intelligence capabilities built for
       federal bodies.
   * For Enterprises(B2B) and Individuals(B2C)Menu Toggle
     * AmIBreached
       Enables consumers and organizations to Identify, Prioritize and Mitigate
       darkweb risks.
     * Odin by CybleNew
       The most advanced internet-scanning tool in the industry for real-time
       threat detection and cybersecurity
     * The Cyber ExpressSubscribe
       #1 Trending Cyber Security News and Magazine
   * We’ve just released an update!
     Cyble has an update that enhances ASM, CTI and more...
     Menu Toggle
     * Schedule a Demo
 * SolutionsMenu Toggle
   * Detect > Validate > CloseMenu Toggle
     * Attack Surface Management
       Ensure digital security by identifying and mitigating threats with
       Cyble's Attack Surface Management
     * Brand Intelligence
       Comprehensive protection against online brand abuse, including brand
       impersonation, phishing, and fraudulent domains.
     * Cyber Threat Intelligence
       Gain insights and enhance your defense with AI-driven analysis and
       continuous threat monitoring
   * Menu ItemMenu Toggle
     * Dark Web Monitoring
       Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
       Web Monitoring.
     * Vulnerability Management
       Advanced scanning, risk evaluation, and efficient remediation strategies
       to protect against cyber threats.
     * Takedown and Disruption
       Combat online fraud and cybercrime by removing fraudulent sites and
       content, and disrupting malicious campaigns with #1 takedown services by
       Cyble.
   * Solutions by Industry
     
     Menu Toggle
     * Healthcare & Pharmaceuticals
     * Financial Services
       
     * Retail and CPG
     * Technology Industry
     * Educational Platform
   * Solutions by Role
     
     Menu Toggle
     * Information Security
     * Corporate Security
     * Marketing
       
 * Why Cyble?Menu Toggle
   * Compare Cyble
     Learn why Cyble is a key differentiator when it comes to proactive
     cybersecurity.
     Menu Toggle
     * Industry RecognitionAwards
     * Customer Stories
 * ResourcesMenu Toggle
   * Thought LeadershipMenu Toggle
     * Blog
       Discover the latest in cybersecurity with Cyble's blog, featuring a
       wealth of articles, research findings, and insights. CRIL is an
       invaluable resource for anyone interested in the evolving world of cyber
       threats and defenses, offering expert analysis and updates.
     * Threat Actor Profiles
     * SAMA Compliance
     * Events
       Conferences, Webinars, Training sessions and more…
   * Knowledge Hub
     Cyble's Knowledge Hub is a central resource for current cybersecurity
     trends, research, and expert opinions.
     Menu Toggle
     * Case Studies
       Dive into Cyble's case studies to discover real-world applications of
       their cybersecurity solutions. These studies provide valuable insights
       into how Cyble addresses various cyber threats and enhances digital
       security for different organizations.
     * Research Reports
        * Country Reports
        * Industry Reports
        * Ransomware Reports
     
     * WhitepapersDownload
   * Research Reports
     
     Menu Toggle
     * Free Threat AssessmentDownload Report
 * CompanyMenu Toggle
   * Our Story
     Learn about Cyble's journey and mission in the cybersecurity landscape.
     Menu Toggle
     * Leadership Team
       Meet our leadership team.
   * CareersWe are hiring!
     Explore a career with Cyble and contribute to cutting-edge cybersecurity
     solutions. Check out Cyble's career opportunities.
     Menu Toggle
     * Press
 * PartnersMenu Toggle
   * Cyble Partner Network (CPN)Join Us
     Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
     This platform offers unique opportunities for partnerships, fostering
     growth and shared success in tackling cyber threats together.
     Menu Toggle
     * Partner Login
     * Become a PartnerRegister
       Elevate your cybersecurity business with the Cyble Partner Network:
       Access cutting-edge tools, expert support, and growth opportunities.
       Ideal for MSSPs, resellers, and alliances.

Schedule a Demo
Schedule a Demo
Main Menu
 * ProductsMenu Toggle
   * For Enterprises(B2B) and GovernmentsMenu Toggle
     * AI-Native Cybersecurity Platforms
     * Cyble VisionFor Enterprises
       Award-winning cyber threat intelligence platform, designed to provide
       enhanced security through real-time intelligence and threat detection.
     * Cyble HawkFor Federal Bodies
       Protects sensitive information and assets from cyber threats with its
       specialized threat detection and intelligence capabilities built for
       federal bodies.
   * For Enterprises(B2B) and Individuals(B2C)Menu Toggle
     * AmIBreached
       Enables consumers and organizations to Identify, Prioritize and Mitigate
       darkweb risks.
     * Odin by CybleNew
       The most advanced internet-scanning tool in the industry for real-time
       threat detection and cybersecurity
     * The Cyber ExpressSubscribe
       #1 Trending Cyber Security News and Magazine
   * We’ve just released an update!
     Cyble has an update that enhances ASM, CTI and more...
     Menu Toggle
     * Schedule a Demo
 * SolutionsMenu Toggle
   * Detect > Validate > CloseMenu Toggle
     * Attack Surface Management
       Ensure digital security by identifying and mitigating threats with
       Cyble's Attack Surface Management
     * Brand Intelligence
       Comprehensive protection against online brand abuse, including brand
       impersonation, phishing, and fraudulent domains.
     * Cyber Threat Intelligence
       Gain insights and enhance your defense with AI-driven analysis and
       continuous threat monitoring
   * Menu ItemMenu Toggle
     * Dark Web Monitoring
       Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
       Web Monitoring.
     * Vulnerability Management
       Advanced scanning, risk evaluation, and efficient remediation strategies
       to protect against cyber threats.
     * Takedown and Disruption
       Combat online fraud and cybercrime by removing fraudulent sites and
       content, and disrupting malicious campaigns with #1 takedown services by
       Cyble.
   * Solutions by Industry
     
     Menu Toggle
     * Healthcare & Pharmaceuticals
     * Financial Services
       
     * Retail and CPG
     * Technology Industry
     * Educational Platform
   * Solutions by Role
     
     Menu Toggle
     * Information Security
     * Corporate Security
     * Marketing
       
 * Why Cyble?Menu Toggle
   * Compare Cyble
     Learn why Cyble is a key differentiator when it comes to proactive
     cybersecurity.
     Menu Toggle
     * Industry RecognitionAwards
     * Customer Stories
 * ResourcesMenu Toggle
   * Thought LeadershipMenu Toggle
     * Blog
       Discover the latest in cybersecurity with Cyble's blog, featuring a
       wealth of articles, research findings, and insights. CRIL is an
       invaluable resource for anyone interested in the evolving world of cyber
       threats and defenses, offering expert analysis and updates.
     * Threat Actor Profiles
     * SAMA Compliance
     * Events
       Conferences, Webinars, Training sessions and more…
   * Knowledge Hub
     Cyble's Knowledge Hub is a central resource for current cybersecurity
     trends, research, and expert opinions.
     Menu Toggle
     * Case Studies
       Dive into Cyble's case studies to discover real-world applications of
       their cybersecurity solutions. These studies provide valuable insights
       into how Cyble addresses various cyber threats and enhances digital
       security for different organizations.
     * Research Reports
        * Country Reports
        * Industry Reports
        * Ransomware Reports
     
     * WhitepapersDownload
   * Research Reports
     
     Menu Toggle
     * Free Threat AssessmentDownload Report
 * CompanyMenu Toggle
   * Our Story
     Learn about Cyble's journey and mission in the cybersecurity landscape.
     Menu Toggle
     * Leadership Team
       Meet our leadership team.
   * CareersWe are hiring!
     Explore a career with Cyble and contribute to cutting-edge cybersecurity
     solutions. Check out Cyble's career opportunities.
     Menu Toggle
     * Press
 * PartnersMenu Toggle
   * Cyble Partner Network (CPN)Join Us
     Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
     This platform offers unique opportunities for partnerships, fostering
     growth and shared success in tackling cyber threats together.
     Menu Toggle
     * Partner Login
     * Become a PartnerRegister
       Elevate your cybersecurity business with the Cyble Partner Network:
       Access cutting-edge tools, expert support, and growth opportunities.
       Ideal for MSSPs, resellers, and alliances.


TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 |
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 |
2915b3f8b703eb744fc54c81f4a9c67f |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0CVEs ->
CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 |
CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS ->
TA505 | TA0011 | TA0005 | TA0007 | TA0002TAGS -> security | the-cyber-express |
firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit |
Blackcat | Lazarus | Kimsuky | VoltTyphoonMALWARE -> CobaltStrike | Qakbot |
Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express |
Bleepingcomputer | The Hacker News | Infosecurity Magazine

Home » Blog » Double Trouble: Latrodectus and ACR Stealer observed spreading via
Google Authenticator Phishing Site 


 * Phishing

 * August 8, 2024


DOUBLE TROUBLE: LATRODECTUS AND ACR STEALER OBSERVED SPREADING VIA GOOGLE
AUTHENTICATOR PHISHING SITE 

Cyble analyzes a phishing website mimicking Google Safety Centre, designed to
trick users into downloading malware that deploys Latrodectus and ACR Stealer,
both aimed at compromising security and stealing sensitive information


KEY TAKEAWAYS  

 * Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated
   phishing website masquerading as an official Google Safety Centre page. 
 * The phishing site’s primary goal is to deceive users into downloading a file
   that purports to be Google Authenticator. In reality, this file is a
   malicious application designed to install additional malicious software on
   the victim’s system. 
 * The malicious file drops two distinct types of malware: Latrodectus and ACR
   Stealer. Each of these malware components has its own set of functionalities
   aimed at compromising the victim’s security and extracting sensitive
   information. 
 * The ACR Stealer employs Dead Drop Resolver (DDR) to obscure its Command and
   Control (C&C) server details, embedding this information within seemingly
   innocuous locations or platforms. By disguising the C&C details, the malware
   enhances its stealth and reduces the likelihood of detection 
 * Latrodectus shows signs of active development, as evidenced by updates to its
   encryption key pattern and the introduction of new commands.  
 * This ongoing development suggests that the Threat Actor (TA) is continuously
   enhancing the Latrodectus malware to add new features and capabilities,
   reflecting an effort to adapt and evade detection. 


OVERVIEW 

Cyble Research and Intelligence Labs (CRIL) recently discovered a phishing
site—“googleaauthenticator[.]com”—cleverly crafted to resemble an official
Google Safety Centre. The website’s design mimics the authentic appearance of a
legitimate Google service, aiming to deceive users into believing they are
visiting the  Google genuine service, as shown below. 

Figure 1 – Phishing Webpage 

Upon further investigation, it became evident that the TAs behind this phishing
campaign are distributing two types of malware: a recently identified strain
called Latrodectus and the notorious ACR Stealer. The fraudulent site serves as
a conduit for these malicious payloads, leveraging the trust and familiarity of
Google’s branding to lure unsuspecting victims into downloading and executing
the malware.  

Technical Content! Subscribe to Unlock


Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents


Email
Country
Phone
Unlock this Content


Recently, researchers uncovered a similar campaign where attackers used  

Google Ads to distribute an information-stealing malware known as “Deer
Stealer.” They also identified that TAs were misusing Google Ads to promote
links to phishing sites. CRIL also suspects that the TA behind this campaign is
utilizing Google Ads to promote phishing links. 

When the user clicks on the “Download Authenticator” button in the phishing
site, it downloads an executable named “GoogleAuthSetup.exe” from
“hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe“. When the user runs the
downloaded file, it displays a deceptive “Unable to Install” message. Meanwhile,
in the background, it silently downloads ACR Stealer and Latrodectus to the
%temp% directory and then executes them.  

While the ACR Stealer gathers sensitive information from the victim and
transmits it to a command and control (C&C) server, the Latrodectus uses evasion
techniques to maintain persistence on the victim’s machine. It also collects
user information and sends it to the command-and-control server (C&C) to conduct
other malicious activities.  

The figure below shows the infection chain of this campaign. 

Figure 2 – Infection Chain 


TECHNICAL ANALYSIS 

The downloaded file, “GoogleAuthSetup.exe,” functions as a loader and is
digitally signed. As shown in Figure 3, the signature is valid as of the time of
this analysis.  

Figure 3 – Digital Signature information 

Figure 4 shows that the loader file’s RCData section contains encrypted payloads
as well as the key required for their decryption.  

Figure 4 – RCData 

Upon execution, the malware loads the encrypted resource contents using the
LoadResource() API, decrypts them, saves them to the %temp% directory, and then
executes the decrypted executable files using SYSCALL “NtCreateUserProcess.” The
figure below shows the decrypted content saved in the %temp% location. 

Figure 5 – Writing files to the %temp% directory 

Subsequently, the TA takes an additional step to enhance the deception and
obfuscate their activities. They display a fake error message to the victim.
This message is designed to mislead the user into believing that the application
they downloaded was legitimate but encountered a technical problem during
installation. 

Figure 6 – Fake error message 

The decrypted payloads are identified as Latrodectus and ACR Stealer. When
executed from the %temp% directory, Latrodectus checks whether it is running
from the %appdata% directory. If not, it copies itself to %appdata%, executes
from there, and then terminates its process from the %temp% location.   

Figure 7 – Process Tree 


ACR STEALER 

Upon execution, the ACR Stealer, identified by its SHA-256 hash value
532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3, initiates a
process to exfiltrate sensitive information from the victim’s machine. To
facilitate communication with its command and control (C&C) server while
avoiding detection, ACR Stealer employs a technique known as Dead Drop Resolver
(DDR).  

DDR is a method used to obscure and hide the true location of the C&C server by
embedding this information within seemingly benign or legitimate platforms. In
this case, ACR Stealer utilizes the Steam Community website as a cover for its
C&C details, as shown in Figure 8.  

By disguising the C&C server information within the Steam Community platform,
the malware takes advantage of the website’s legitimate status to evade
detection by security tools and researchers.  

Figure 8 – Dead Drop Resolver 

The ACR Stealer retrieves the C2 details and constructs a specific URL to
download the encrypted configuration file from
“hxxps://geotravelsgi[.]xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d ” It then
decrypts the configuration file. The decrypted configuration contains
information about the targeted applications and their details. The table below
shows the applications targeted by ACR Stealer. 

Category Application Names  Web Browser Google Chrome Canary, Epic Privacy
Browser, Microsoft Edge, Nichrome, Opera Stable, Google Chrome Dev, Google
Chrome Beta, Google Chrome SxS, Vivaldi, Mozilla Firefox, Opera GX Stable,
Coowon, QIP Surf, Kometa, Torch, 360Browser, K-Melon, Orbitum, Elements Browser,
CocCoc Browser, Brave-Browser, Google Chrome Unstable, CatalinaGroup Citrio,
CentBrowser, TorBro, MapleStudio ChromePlus, Amigo, Google Chrome, BlackHawk,
Chromium, liebao, Chromodo, Maxthon3, Opera Neon, uCozMedia Uran, Chedot,
Uran Email Client Mailbird, Pocomail, yMail2, The Bat!, eM Client, Thunderbird,
Opera Mail, TrulyMail, PMAIL FTP Client FileZilla, NetDrive, FTPGetter,
BlazeFtp, Steed, FTP Now, Estsoft ALFTP, BitKinex, DeluxeFTP, UltraFXP,
INSoftware NovaFTP, FTPBox, GoFTP, Notepad++ plugins NppFTP Cryptocurrency
Wallet Electrum, Bitcoin, Daedalus Mainnet, Litecoin, Monero, Electrum-LTC,
Authy Desktop, Zcash, Exodus, Anoncoin, BBQCoin, Guarda, GoldCoin (GLD),
DashCore, Ethereum, YACoin, Coinomi, Armory, Digitalcoin, MultiDoge, Atomic,
Namecoin, Florincoin, Freicoin, Terracoin, Dogecoin, GInfinitecoin, IOCoin,
Franko, devcoin, ElectronCash, Binance, WalletWasabi, Mincoin,
Megacoin Messenger WhatsApp, Psi, Tox, Signal, Psi+, Telegram,
Pidgin VPN AzireVPN, NordVPN Password Manager 1Password, RoboForm, Bitwarden,
NordPass Other Applications GmailNotifierPro, To-Do DeskList, MySQL Workbench,
AnyDesk, GHISLER, snowflake-ssh, Sticky Notes, Conceptworld’s Notezilla 


LATRODECTUS  

In October 2023, Walmart researchers published a blog about a malware named
Latrodectus. Subsequently, this variant was analysed and discussed by other
researchers at Proofpoint and Elastic. Latrodectus is a downloader that can
execute commands received from a Command & Control (C&C) server. Researchers
have also confirmed that it was developed by the creators of IcedID. Most of the
Latrodectus behaviors observed in this campaign show similarities to those in
previous campaigns. In this section, we summarize only the changes observed in
the Latrodectus version 1.3. 

Like the previous campaign, the initial Command & Control (C&C) communication
from the victim’s machine, which is base64 encoded and RC4 encrypted, is
depicted in the figure below. 

Figure 9 – C&C Communication 

In this version, the TA has used a random string
“1SJUf0qxxRVHjgWtVJDajSnFbT2glz9jy7qZE0au0MZPX3HOmf” as the key for encrypting
the Command & Control (C&C) communication. In previous versions, the key used
for encryption was “12345.” The figure below shows the decrypted content of its
C&C communication using CyberChef. 

Figure 10 – decrypted content 

In version 1.3 of Latrodectus, the scheduled task created is configured to
launch the malicious file every 10 minutes. In contrast, version 1.1 utilized a
task scheduler set to execute the malicious file only at logon. This change in
scheduling frequency indicates a shift towards more persistent and frequent
execution of the malware in the newer version. 

Figure 11 – Scheduled task 

Additionally, the developers behind Latrodectus have added a new command in
version 1.3. While version 1.1 had 11 commands, version 1.3 now includes 12
commands, as shown in the figure below, reflecting an enhancement in the
malware’s functionality and capabilities. 

Figure 12 – BOT command IDs 


CONCLUSION 

This sophisticated phishing campaign illustrates the growing complexity of cyber
threats, with attackers employing deceptive tactics to compromise users. By
mimicking a legitimate Google Safety Centre page and distributing a malicious
file disguised as Google Authenticator, the attackers deploy two distinct types
of malware—Latrodectus and ACR Stealer—with targeted malicious purposes.  

ACR Stealer’s use of Dead Drop Resolver (DDR) to obscure its C&C server details
highlights advanced evasion strategies. The continuous development of
Latrodectus, including updated encryption and new commands, demonstrates the
attackers’ persistent efforts to refine and enhance their malware. 


RECOMMENDATIONS 

 * Always download Google Authenticator directly from official sources, such as
   the Google Play Store or the Apple App Store, to ensure you are getting the
   legitimate app and avoid phishing scams. 
 * This campaign reaches users via malicious Google ads. Users should be
   cautious when interacting with ads and verify the authenticity of links
   before clicking. Organizations should consider monitoring ad platforms for
   suspicious activity and employing advanced threat detection tools to identify
   and block phishing attempts. 
 * The TA has created a phishing site posing as Google Safety Centre. To protect
   yourself, verify the legitimacy of websites by scrutinizing URLs and avoiding
   suspicious links.  
 * Conduct training sessions to educate users on recognizing phishing attempts
   and the risks of downloading files from untrusted sources. Emphasize the
   importance of verifying the legitimacy of websites and links before
   interaction. 
 * Use network security tools to monitor and block communications with known
   Command and Control (C&C) servers. Implement firewalls and intrusion
   detection systems to detect and prevent unauthorized access. 
 * Enable MFA on all accounts to add an extra layer of security and reduce the
   risk of unauthorized access even if credentials are compromised. 
 * Develop and maintain an incident response plan to quickly address and
   mitigate the impact of malware infections. Regularly test and update the plan
   to ensure effectiveness. 


MITRE ATT&CK® TECHNIQUES 

Tactic Technique Procedure Initial Access (TA0001) Phishing (T1566) Phishing
website hosted a malicious binary as a legitimate application Defense
Evasion(TA0005)  Obfuscated Files or Information: Software Packing
(T1027.002) Payload is encrypted inside the Resource section Execution
(TA0002) Native API (T1106) The NtCreateUserProcess() API is used to create a
child process  Execution, Persistence, Privilege Escalation Scheduled Task/Job:
Scheduled Task (T1053.005) Sets scheduled tasks using COM Object  Defense
Evasion (TA0005) Indicator Removal: File Deletion (T1070.004) Deletes itself
from Temp dir Defense Evasion (TA0005) Obfuscated Files or Information: Dynamic
API Resolution (T1027.007) Loads DLLs during runtime Discovery(TA0007) System
Information Discovery (T1082) Checks for Windows version and running
processes Command and Control (TA0011)  Application Layer Protocol: Web
Protocols (T1071.001) Communicates to C&C over HTTP Collection
(TA0009) Automated Collection (T1119) Collects Cryptocurrency wallet
information Credential Access (TA0006) Credentials from Password Stores:
Credentials from Web Browsers (T1555.003) Tries to collect credentials from
browsers Credential Access (TA0006) Credentials from Password Stores: Password
Managers (T1555.005) Tries to steal credentials from password managers 


INDICATORS OF COMPROMISE 

Indicators  Indicator Type Description 62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830 SHA-256 GoogleAuthSetup.exe 81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb SHA-256  Latrodectus 532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3 SHA-256  ACR
Stealer hxxps://spikeliftall[.]com/live/ URL C&C of
Latrodectus hxxps://godfaetret[.]com/live/ URL C&C of
Latrodectus hxxps://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842dURL Config
file of ACR Stealer googleaauthenticator[.]com Domain Phishing Site 


REFERENCES

https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator
https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus
https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed


RELATED

RHADAMANTHYS: NEW STEALER SPREADING THROUGH GOOGLE ADS

CRIL analyzes Rhadamanthys Stealer, a new strain of malware spread via Google
Ads to steal users' sensitive information.

January 12, 2023

In "Malware"

PHISHING CAMPAIGN TARGETING INDONESIAN BRI BANK USING SMS STEALER

Cyble Research & Intelligence Labs analyzes an active phishing campaign
targeting Indonesian BRI bank using Android SMS Stealer.

November 15, 2022

In "Phishing"

MITSU STEALER DISTRIBUTED VIA ANYDESK PHISHING SITE

Cyble identifies and analyzes an AnyDesk phishing site that distributes Mistu
Stealer to steal sensitive data from users.

October 13, 2022

In "Phishing"

Search for your darkweb exposure



Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.

Download Now






GET THREAT ASSESSMENT REPORT

Identify External Threats Targeting Your Business
Get My Report
Free
Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond.
Beenu Arora, Co-Founder & CEO, Cyble.
Share the Post:

PrevPreviousFrom Weaponization to Victimization: Fallout from the ServiceNow
Vulnerability
NextUnmasking the Overlap Between Golddigger and Gigabud Android MalwareNext


RELATED POSTS

WORLD AGRICULTURAL CYCLING COMPETITION (WACC) PARTICIPANTS TARGETED FOR HAVOC C2
DISSEMINATION

August 16, 2024

CRYPTOCURRENCY LURES AND PUPY RAT: ANALYSING THE UTG-Q-010 CAMPAIGN 

August 14, 2024

QUICK LINKS

Main Menu

 * Home
 * About Us
 * Blog
 * Cyble Partner Network (CPN)
 * Press
 * Responsible Disclosure
 * Knowledge Hub
 * Sitemap

PRODUCTS

Main Menu

 * AmIBreached
 * Cyble Vision
 * Cyble Hawk
 * Cyble Odin
 * The Cyber Express

SOLUTIONS

Main Menu

 * Attack Surface Management
 * Brand Intelligence
 * Cyber Threat Intelligence
 * Dark Web Monitoring
 * Takedown and Disruption
 * Vulnerability Management

PRIVACY POLICY

Main Menu

 * AmIBreached
 * Cyble Vision
 * Cyble Trust Portal

SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU

Book a Demo
© 2024. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales



DISCOVER MORE FROM CYBLE

Subscribe now to keep reading and get access to the full archive.

Type your email…

Subscribe

Continue reading

Scroll to Top
 

Loading Comments...

 

Write a Comment...
Email Name Website

We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok





Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any
time.


AllowCancel


×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 19 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences