Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site
Key Takeaways
- Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated phishing website masquerading as an official Google Safety Centre page.
- The phishing site’s primary goal is to deceive users into downloading a file that purports to be Google Authenticator. In reality, this file is a malicious application designed to install additional malicious software on the victim’s system.
- The malicious file drops two distinct types of malware: Latrodectus and ACR Stealer. Each of these malware components has its own set of functionalities aimed at compromising the victim’s security and extracting sensitive information.
- The ACR Stealer employs Dead Drop Resolver (DDR) to obscure its Command and Control (C&C) server details, embedding this information within seemingly innocuous locations or platforms. By disguising the C&C details, the malware enhances its stealth and reduces the likelihood of detection
- Latrodectus shows signs of active development, as evidenced by updates to its encryption key pattern and the introduction of new commands.
- This ongoing development suggests that the Threat Actor (TA) is continuously enhancing the Latrodectus malware to add new features and capabilities, reflecting an effort to adapt and evade detection.
Overview
Cyble Research and Intelligence Labs (CRIL) recently discovered a phishing site—“googleaauthenticator.com”—cleverly crafted to resemble an official Google Safety Centre. The website’s design mimics the authentic appearance of a legitimate Google service, aiming to deceive users into believing they are visiting the genuine Google Authenticator site, as shown below.
Figure 1 – Phishing Webpage
Upon further investigation, it became evident that the TAs behind this phishing campaign are distributing two types of malware: a recently identified strain called Latrodectus and the notorious ACR Stealer. The fraudulent site serves as a conduit for these malicious payloads, leveraging the trust and familiarity of Google’s branding to lure unsuspecting victims into downloading and executing the malware.
Recently, researchers uncovered a similar campaign where attackers used
Google Ads to distribute an information-stealing malware known as “Deer Stealer.” They also identified that TAs were misusing Google Ads to promote links to phishing sites. CRIL also suspects that the TA behind this campaign is utilizing Google Ads to promote phishing links.
When the user clicks on the “Download Authenticator” button in the phishing site, it downloads an executable named “GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe“. When the user runs the downloaded file, it displays a deceptive “Unable to Install” message. Meanwhile, in the background, it silently downloads ACR Stealer and Latrodectus to the %temp% directory and then executes them.
While the ACR Stealer gathers sensitive information from the victim and transmits it to a command and control (C&C) server, the Latrodectus loader/stealer uses evasion techniques to maintain persistence on the victim’s machine. It also collects user information and sends it to the command-and-control server (C&C) to conduct other malicious activities.
The figure below shows the infection chain of this campaign.
Figure 2 – Infection Chain
Technical Analysis
The downloaded file, “GoogleAuthSetup.exe,” functions as a loader and is digitally signed. As shown in Figure 3, the signature is valid as of the time of this analysis.
Figure 3 – Digital Signature information
Figure 5 shows that the loader file’s RCData section contains encrypted payloads as well as the key required for their decryption.
Figure 4 – RCData
Upon execution, the malware loads the encrypted resource contents using the LoadResource() API, decrypts them, saves them to the %temp% directory, and then executes the decrypted executable files using SYSCALL “NtCreateUserProcess.” The figure below shows the decrypted content saved in the %temp% location.
Figure 5 – Writing files to the %temp% directory
Subsequently, the TA takes an additional step to enhance the deception and obfuscate their activities. They display a fake error message to the victim. This message is designed to mislead the user into believing that the application they downloaded was legitimate but encountered a technical problem during installation.
Figure 6 – Fake error message
The decrypted payloads are identified as Latrodectus and ACR Stealer. When executed from the %temp% directory, Latrodectus checks whether it is running from the %appdata% directory. If not, it copies itself to %appdata%, executes from there, and then terminates its process from the %temp% location.
Figure 7 – Process Tree
ACR Stealer
Upon execution, the ACR Stealer, identified by its SHA-256 hash value 532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3, initiates a process to exfiltrate sensitive information from the victim’s machine. To facilitate communication with its command and control (C&C) server while avoiding detection, ACR Stealer employs a technique known as Dead Drop Resolver (DDR).
DDR is a method used to obscure and hide the true location of the C&C server by embedding this information within seemingly benign or legitimate platforms. In this case, ACR Stealer utilizes the Steam Community website as a cover for its C&C details, as shown in Figure 8.
By disguising the C&C server information within the Steam Community platform, the malware takes advantage of the website’s legitimate status to evade detection by security tools and researchers.
Figure 8 – Dead Drop Resolver
The ACR Stealer retrieves the C2 details and constructs a specific URL to download the encrypted configuration file from “https://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d.” It then decrypts the configuration file. The decrypted configuration contains information about the targeted applications and their details. The table below shows the applications targeted by ACR Stealer.
| Category | Application Names |
| Web Browser | Google Chrome Canary, Epic Privacy Browser, Microsoft Edge, Nichrome, Opera Stable, Google Chrome Dev, Google Chrome Beta, Google Chrome SxS, Vivaldi, Mozilla Firefox, Opera GX Stable, Coowon, QIP Surf, Kometa, Torch, 360Browser, K-Melon, Orbitum, Elements Browser, CocCoc Browser, Brave-Browser, Google Chrome Unstable, CatalinaGroup Citrio, CentBrowser, TorBro, MapleStudio ChromePlus, Amigo, Google Chrome, BlackHawk, Chromium, liebao, Chromodo, Maxthon3, Opera Neon, uCozMedia Uran, Chedot, Uran |
| Email Client | Mailbird, Pocomail, yMail2, The Bat!, eM Client, Thunderbird, Opera Mail, TrulyMail, PMAIL |
| FTP Client | FileZilla, NetDrive, FTPGetter, BlazeFtp, Steed, FTP Now, Estsoft ALFTP, BitKinex, DeluxeFTP, UltraFXP, INSoftware NovaFTP, FTPBox, GoFTP, Notepad++ plugins NppFTP |
| Cryptocurrency Wallet | Electrum, Bitcoin, Daedalus Mainnet, Litecoin, Monero, Electrum-LTC, Authy Desktop, Zcash, Exodus, Anoncoin, BBQCoin, Guarda, GoldCoin (GLD), DashCore, Ethereum, YACoin, Coinomi, Armory, Digitalcoin, MultiDoge, Atomic, Namecoin, Florincoin, Freicoin, Terracoin, Dogecoin, GInfinitecoin, IOCoin, Franko, devcoin, ElectronCash, Binance, WalletWasabi, Mincoin, Megacoin |
| Messenger | WhatsApp, Psi, Tox, Signal, Psi+, Telegram, Pidgin |
| VPN | AzireVPN, NordVPN |
| Password Manager | 1Password, RoboForm, Bitwarden, NordPass |
| Other Applications | GmailNotifierPro, To-Do DeskList, MySQL Workbench, AnyDesk, GHISLER, snowflake-ssh, Sticky Notes, Conceptworld’s Notezilla |
Latrodectus
In October 2023, Walmart researchers published a blog about a malware named Latrodectus. Subsequently, this variant was analysed and discussed by other researchers at Proofpoint and Elastic. Latrodectus is a downloader that can execute commands received from a Command & Control (C&C) server. Researchers have also confirmed that it was developed by the creators of IcedID. Most of the Latrodectus behaviors observed in this campaign show similarities to those in previous campaigns. In this section, we summarize only the changes observed in the Latrodectus version 1.3.
Like the previous campaign, the initial Command & Control (C&C) communication from the victim’s machine, which is base64 encoded and RC4 encrypted, is depicted in the figure below.
Figure 9 – C&C Communication
In this version, the TA has used a random string “1SJUf0qxxRVHjgWtVJDajSnFbT2glz9jy7qZE0au0MZPX3HOmf” as the key for encrypting the Command & Control (C&C) communication. In previous versions, the key used for encryption was “12345.” The figure below shows the decrypted content of its C&C communication using CyberChef.
Figure 10 – decrypted content
In version 1.3 of Latrodectus, the scheduled task created is configured to launch the malicious file every 10 minutes. In contrast, version 1.1 utilized a task scheduler set to execute the malicious file only at logon. This change in scheduling frequency indicates a shift towards more persistent and frequent execution of the malware in the newer version.
Figure 11 – Scheduled task
Additionally, the developers behind Latrodectus have added a new command in version 1.3. While version 1.1 had 11 commands, version 1.3 now includes 12 commands, as shown in the figure below, reflecting an enhancement in the malware’s functionality and capabilities.
Figure 12 – BOT command IDs
Conclusion
This sophisticated phishing campaign illustrates the growing complexity of cyber threats, with attackers employing deceptive tactics to compromise users. By mimicking a legitimate Google Safety Centre page and distributing a malicious file disguised as Google Authenticator, the attackers deploy two distinct types of malware—Latrodectus and ACR Stealer—with targeted malicious purposes.
ACR Stealer’s use of Dead Drop Resolver (DDR) to obscure its C&C server details highlights advanced evasion strategies. The continuous development of Latrodectus, including updated encryption and new commands, demonstrates the attackers’ persistent efforts to refine and enhance their malware.
Recommendations
- Always download Google Authenticator directly from official sources, such as the Google Play Store or the Apple App Store, to ensure you are getting the legitimate app and avoid phishing scams.
- This campaign reaches users via malicious Google ads. Users should be cautious when interacting with ads and verify the authenticity of links before clicking. Organizations should consider monitoring ad platforms for suspicious activity and employing advanced threat detection tools to identify and block phishing attempts.
- The TA has created a phishing site posing as Google Safety Centre. To protect yourself, verify the legitimacy of websites by scrutinizing URLs and avoiding suspicious links.
- Conduct training sessions to educate users on recognizing phishing attempts and the risks of downloading files from untrusted sources. Emphasize the importance of verifying the legitimacy of websites and links before interaction.
- Use network security tools to monitor and block communications with known Command and Control (C&C) servers. Implement firewalls and intrusion detection systems to detect and prevent unauthorized access.
- Enable MFA on all accounts to add an extra layer of security and reduce the risk of unauthorized access even if credentials are compromised.
- Develop and maintain an incident response plan to quickly address and mitigate the impact of malware infections. Regularly test and update the plan to ensure effectiveness.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | Phishing website hosted a malicious binary as a legitimate application |
| Defense Evasion(TA0005) | Obfuscated Files or Information: Software Packing (T1027.002) | Payload is encrypted inside the Resource section |
| Execution (TA0002) | Native API (T1106) | The NtCreateUserProcess() API is used to create a child process |
| Execution, Persistence, Privilege Escalation | Scheduled Task/Job: Scheduled Task (T1053.005) | Sets scheduled tasks using COM Object |
| Defense Evasion (TA0005) | Indicator Removal: File Deletion (T1070.004) | Deletes itself from Temp dir |
| Defense Evasion (TA0005) | Obfuscated Files or Information: Dynamic API Resolution (T1027.007) | Loads DLLs during runtime |
| Discovery(TA0007) | System Information Discovery (T1082) | Checks for Windows version and running processes |
| Command and Control (TA0011) | Application Layer Protocol: Web Protocols (T1071.001) | Communicates to C&C over HTTP |
| Collection (TA0009) | Automated Collection (T1119) | Collects Cryptocurrency wallet information |
| Credential Access (TA0006) | Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | Tries to collect credentials from browsers |
| Credential Access (TA0006) | Credentials from Password Stores: Password Managers (T1555.005) | Tries to steal credentials from password managers |
Indicators Of Compromise
| Indicators | Indicator Type | Description |
| 62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830 | SHA-256 | GoogleAuthSetup.exe |
| 81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb | SHA-256 | Latrodectus |
| 532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3 | SHA-256 | ACR Stealer |
| hxxps://spikeliftall[.]com/live/ | URL | C&C of Latrodectus |
| hxxps://godfaetret[.]com/live/ | URL | C&C of Latrodectus |
| hxxps://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d | URL | Config file of ACR Stealer |
| googleaauthenticator.com | Domain | Phishing Site |
The post Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site appeared first on Cyble.
React to this headline:
