Beware! Fake Google Authenticator Sites Spreading DeerStealer Malware

Researchers from ANY RUN identified a malware distribution advertising campaign dubbed DeerStealer that leverages deceptive websites masquerading as legitimate Google Authenticator download pages.

The preliminary found web sites, “authentificcatorgoolglte[.]com,” closely resembles the official Google online page “security.google/intl/en_my/cybersecurity-advancements,” presumably to trick users into believing it’s a right provide for the software program.

Clicking the “Accept” button on this deceptive web sites triggers a two-fold malicious action: first, it transmits the visitor’s IP address and nation data to a Telegram bot, likely for monitoring and capacity sufferer identification.

2d, as a replacement of downloading the genuine Google Authenticator app, the web sites redirects users to a malicious file hosted on GitHub on the repository “github[.]com/ggle24/ggle2.”

It likely incorporates the DeerStealer malware itself, disguised as a trusty software program. Once downloaded and executed, DeerStealer can doubtlessly rob tender person data without their data.

On June 19, 2024, person “fedor_emeliyanenko_bog” launched the Telegram bot Tuc-tuc, which began logging messages that incorporated the originating characteristic and allowed for the extraction of active phishing websites linked to this advertising campaign.

Researchers occupy identified a checklist of domains associated with these phishing assaults by examining the chat ancient past.

The Delphi-primarily primarily based stealer, originating from GitHub, self-incorporates a malicious payload delivered by way of a Reedcode-signed file, which employs obfuscation to cloak its actions, at the side of API calls wrapped in capabilities that retrieve addresses from world variables and secure the most of JMP RAX for execution.

Additional obfuscation comes from a broad selection of obscured constants interior the code, complicating analysis. The payload runs straight away in memory without rising a persistent file on the machine.

The analyzed sample in ANY.RUN reveals the communique traits of a capacity client connecting to a Exclaim and Management (C2) server.

The sample initiates communique by sending a POST demand containing the tool’s hardware ID (HWID) to the “paradiso4.relaxing” domain, which likely serves for authentication or registration applications.

Following the server’s response, the sample transmits data in subsequent one-manner POST requests, suggesting a capacity data exfiltration try or reporting functionality to the C2 server.

Evaluation of the sent data unearths a high frequency of the byte 0xC, suggesting single-byte XOR encryption with a key of 0xC as a result of XOR’s properties with zero.

Decryption the usage of CyberChef efficiently uncovers PKZip archives containing machine data esteem hostnames, processor crucial aspects, and working processes, confirming the encryption manner and indicating capacity data exfiltration or machine monitoring actions.

Researchers identified a YARA rule matching a DeerStealer sample, therefore discovering two identical samples linked to the XFiles family, sharing the frequent tactic of the usage of deceptive, legitimate tool websites for distribution.

While DeerStealer is a compiled machine-code software program, XFiles is a .NET-primarily primarily based malware that employs staged C2 communique, sending HWID in the origin before data transmission, now not like XFiles’ single POST demand.

IOCs