Beware! Fake Google Authenticator Sites Spreading DeerStealer Malware

Researchers from ANY RUN identified a malware distribution campaign dubbed DeerStealer that leverages deceptive websites masquerading as legitimate Google Authenticator download pages. 

The initial discovered website, “authentificcatorgoolglte[.]com,” closely resembles the authentic Google page “safety.google/intl/en_my/cybersecurity-advancements,” presumably to trick users into believing it’s a genuine source for the application. 

example of fake site 

Clicking the “Download” button on this fake website triggers a two-fold malicious action: first, it transmits the visitor’s IP address and country information to a Telegram bot, likely for tracking and potential victim identification. 

Second, instead of downloading the actual Google Authenticator app, the website redirects users to a malicious file hosted on GitHub at the repository “github[.]com/ggle24/ggle2.” 

It likely contains the DeerStealer malware itself, disguised as a legitimate application. Once downloaded and executed, DeerStealer can potentially steal sensitive user data without their knowledge.  

JavaScript code that sends visitor information to the Telegram bot when the file is downloaded 

On June 19, 2024, user “fedor_emeliyanenko_bog” launched the Telegram bot Tuc-tuc, which started logging messages that included the originating site and allowed for the extraction of active phishing sites connected to this campaign. 

Researchers have identified a list of domains associated with these phishing attacks by analyzing the chat history. 

Fake Domains

The Delphi-based stealer, originating from GitHub, self-contains a malicious payload delivered via a Reedcode-signed file, which employs obfuscation to conceal its actions, including API calls wrapped in functions that retrieve addresses from global variables and utilize JMP RAX for execution. 

Additional obfuscation comes from numerous obscured constants within the code, complicating analysis. The payload runs directly in memory without creating a persistent file on the system. 

Sample information

The analyzed sample in ANY.RUN exhibits the communication characteristics of a potential client connecting to a Command and Control (C2) server. 

The sample initiates communication by sending a POST request containing the device’s hardware ID (HWID) to the “paradiso4.fun” domain, which likely serves for authentication or registration purposes.  

Following the server’s response, the sample transmits data in subsequent one-way POST requests, suggesting a potential data exfiltration attempt or reporting functionality to the C2 server

Encrypted data from traffic

Analysis of the sent data reveals a high frequency of the byte 0xC, suggesting single-byte XOR encryption with a key of 0xC due to XOR’s properties with zero. 

Easily analyze malware in ANY.RUN sandbox – Register for Free

Decryption using CyberChef successfully uncovers PKZip archives containing system information like hostnames, processor details, and running processes, confirming the encryption method and indicating potential data exfiltration or system monitoring activities. 

New XFiles version release 

Researchers identified a YARA rule matching a DeerStealer sample, subsequently discovering two similar samples linked to the XFiles family, sharing the common tactic of using fake, legitimate software sites for distribution. 

While DeerStealer is a compiled machine-code application, XFiles is a .NET-based malware that employs staged C2 communication, sending HWID initially before data transmission, unlike XFiles’ single POST request. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

 IOCs

4640d425d8d43a95e903d759183993a87bafcb9816850efe57ccfca4ace889ec 
569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d 
5e2839553458547a92fff7348862063b30510e805a550e02d94a89bd8fd0768d 
66282239297c60bad7eeae274e8a2916ce95afeb932d3be64bb615ea2be1e07a
a6f6175998e96fcecad5f9b3746db5ced144ae97c017ad98b2caa9d0be8a3cb5
b116c1e0f92dca485565d5f7f3b572d7f01724062320597733b9dbf6dd84dee1
b5ab21ddb7cb5bfbedee68296a3d98f687e9acd8ebcc4539f7fd234197de2227 
cb08d8a7bca589704d20b421768ad01f7c38be0c3ea11b4b77777e6d0b5e5956 
d9db8cdef549e4ad0e33754d589a4c299e7082c3a0b5efdee1a0218a0a1bf1ee
E24c311a64f57fd16ffc98f339d5d537c16851dc54d7bb3db8778c26ccb5f2d1 

The post Beware! Fake Google Authenticator Sites Spreading DeerStealer Malware appeared first on Cyber Security News.