“Double Threat: Latrodectus and ACR Stealer Distributing Through Google Authenticator Phishing Site”

Short Summary

Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated phishing campaign that uses a fake Google Safety Centre page to distribute malicious software. The phishing site tricks users into downloading a file disguised as Google Authenticator, which actually installs two types of malware: Latrodectus and ACR Stealer. These malware variants aim to compromise user security and exfiltrate sensitive information, employing advanced evasion techniques to avoid detection.

Key Points

  • Phishing Campaign: A fraudulent website mimicking Google Safety Centre is used to deceive users.
  • Malware Distribution: Users are tricked into downloading a malicious file named “GoogleAuthSetup.exe.”
  • Malware Types: The downloaded file installs two malware variants: Latrodectus and ACR Stealer.
  • ACR Stealer: Uses Dead Drop Resolver (DDR) to hide its Command and Control (C&C) server details.
  • Latrodectus: Actively developed with updated encryption and new commands for enhanced capabilities.
  • Infection Chain: The malware operates stealthily, displaying fake error messages to mislead victims.
  • Targeted Applications: ACR Stealer targets various applications, including web browsers and password managers.
  • Recommendations: Users should download apps only from official sources and be cautious with ads.

MITRE ATT&CK TTPs – created by AI

  • Phishing (T1566)
    • Phishing website hosted a malicious binary as a legitimate application
  • Obfuscated Files or Information: Software Packing (T1027.002)
    • Payload is encrypted inside the Resource section
  • Native API (T1106)
    • The NtCreateUserProcess() API is used to create a child process
  • Scheduled Task/Job: Scheduled Task (T1053.005)
    • Sets scheduled tasks using COM Object
  • Indicator Removal: File Deletion (T1070.004)
    • Deletes itself from Temp dir
  • Obfuscated Files or Information: Dynamic API Resolution (T1027.007)
    • Loads DLLs during runtime
  • System Information Discovery (T1082)
    • Checks for Windows version and running processes
  • Application Layer Protocol: Web Protocols (T1071.001)
    • Communicates to C&C over HTTP
  • Automated Collection (T1119)
    • Collects Cryptocurrency wallet information
  • Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    • Tries to collect credentials from browsers
  • Credentials from Password Stores: Password Managers (T1555.005)
    • Tries to steal credentials from password managers

CybleBlogs

Key Takeaways  

  • Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated phishing website masquerading as an official Google Safety Centre page. 
  • The phishing site’s primary goal is to deceive users into downloading a file that purports to be Google Authenticator. In reality, this file is a malicious application designed to install additional malicious software on the victim’s system. 
  • The malicious file drops two distinct types of malware: Latrodectus and ACR Stealer. Each of these malware components has its own set of functionalities aimed at compromising the victim’s security and extracting sensitive information. 
  • The ACR Stealer employs Dead Drop Resolver (DDR) to obscure its Command and Control (C&C) server details, embedding this information within seemingly innocuous locations or platforms. By disguising the C&C details, the malware enhances its stealth and reduces the likelihood of detection 
  • Latrodectus shows signs of active development, as evidenced by updates to its encryption key pattern and the introduction of new commands.  
  • This ongoing development suggests that the Threat Actor (TA) is continuously enhancing the Latrodectus malware to add new features and capabilities, reflecting an effort to adapt and evade detection. 

Overview 

Cyble Research and Intelligence Labs (CRIL) recently discovered a phishing site—“googleaauthenticator[.]com”—cleverly crafted to resemble an official Google Safety Centre. The website’s design mimics the authentic appearance of a legitimate Google service, aiming to deceive users into believing they are visiting the  Google genuine service, as shown below. 

Figure 1 – Phishing Webpage 

Upon further investigation, it became evident that the TAs behind this phishing campaign are distributing two types of malware: a recently identified strain called Latrodectus and the notorious ACR Stealer. The fraudulent site serves as a conduit for these malicious payloads, leveraging the trust and familiarity of Google’s branding to lure unsuspecting victims into downloading and executing the malware.  

Recently, researchers uncovered a similar campaign where attackers used  

Google Ads to distribute an information-stealing malware known as “Deer Stealer.” They also identified that TAs were misusing Google Ads to promote links to phishing sites. CRIL also suspects that the TA behind this campaign is utilizing Google Ads to promote phishing links. 

When the user clicks on the “Download Authenticator” button in the phishing site, it downloads an executable named “GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe“. When the user runs the downloaded file, it displays a deceptive “Unable to Install” message. Meanwhile, in the background, it silently downloads ACR Stealer and Latrodectus to the %temp% directory and then executes them.  

While the ACR Stealer gathers sensitive information from the victim and transmits it to a command and control (C&C) server, the Latrodectus uses evasion techniques to maintain persistence on the victim’s machine. It also collects user information and sends it to the command-and-control server (C&C) to conduct other malicious activities.  

The figure below shows the infection chain of this campaign. 

Figure 2 – Infection Chain 

Technical Analysis 

The downloaded file, “GoogleAuthSetup.exe,” functions as a loader and is digitally signed. As shown in Figure 3, the signature is valid as of the time of this analysis.  

Figure 3 – Digital Signature information 

Figure 4 shows that the loader file’s RCData section contains encrypted payloads as well as the key required for their decryption.  

Figure 4 – RCData 

Upon execution, the malware loads the encrypted resource contents using the LoadResource() API, decrypts them, saves them to the %temp% directory, and then executes the decrypted executable files using SYSCALL “NtCreateUserProcess.” The figure below shows the decrypted content saved in the %temp% location. 

Figure 5 – Writing files to the %temp% directory 

Subsequently, the TA takes an additional step to enhance the deception and obfuscate their activities. They display a fake error message to the victim. This message is designed to mislead the user into believing that the application they downloaded was legitimate but encountered a technical problem during installation. 

Figure 6 – Fake error message 

The decrypted payloads are identified as Latrodectus and ACR Stealer. When executed from the %temp% directory, Latrodectus checks whether it is running from the %appdata% directory. If not, it copies itself to %appdata%, executes from there, and then terminates its process from the %temp% location.   

Figure 7 – Process Tree 

ACR Stealer 

Upon execution, the ACR Stealer, identified by its SHA-256 hash value 532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3, initiates a process to exfiltrate sensitive information from the victim’s machine. To facilitate communication with its command and control (C&C) server while avoiding detection, ACR Stealer employs a technique known as Dead Drop Resolver (DDR).  

DDR is a method used to obscure and hide the true location of the C&C server by embedding this information within seemingly benign or legitimate platforms. In this case, ACR Stealer utilizes the Steam Community website as a cover for its C&C details, as shown in Figure 8.  

By disguising the C&C server information within the Steam Community platform, the malware takes advantage of the website’s legitimate status to evade detection by security tools and researchers.  

Figure 8 – Dead Drop Resolver 

The ACR Stealer retrieves the C2 details and constructs a specific URL to download the encrypted configuration file from “hxxps://geotravelsgi[.]xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d ” It then decrypts the configuration file. The decrypted configuration contains information about the targeted applications and their details. The table below shows the applications targeted by ACR Stealer. 

Category  Application Names  
Web Browser  Google Chrome Canary, Epic Privacy Browser, Microsoft Edge, Nichrome, Opera Stable, Google Chrome Dev, Google Chrome Beta, Google Chrome SxS, Vivaldi, Mozilla Firefox, Opera GX Stable, Coowon, QIP Surf, Kometa, Torch, 360Browser, K-Melon, Orbitum, Elements Browser, CocCoc Browser, Brave-Browser, Google Chrome Unstable, CatalinaGroup Citrio, CentBrowser, TorBro, MapleStudio ChromePlus, Amigo, Google Chrome, BlackHawk, Chromium, liebao, Chromodo, Maxthon3, Opera Neon, uCozMedia Uran, Chedot, Uran 
Email Client  Mailbird, Pocomail, yMail2, The Bat!, eM Client, Thunderbird, Opera Mail, TrulyMail, PMAIL 
FTP Client  FileZilla, NetDrive, FTPGetter, BlazeFtp, Steed, FTP Now, Estsoft ALFTP, BitKinex, DeluxeFTP, UltraFXP, INSoftware NovaFTP, FTPBox, GoFTP, Notepad++ plugins NppFTP 
Cryptocurrency Wallet  Electrum, Bitcoin, Daedalus Mainnet, Litecoin, Monero, Electrum-LTC, Authy Desktop, Zcash, Exodus, Anoncoin, BBQCoin, Guarda, GoldCoin (GLD), DashCore, Ethereum, YACoin, Coinomi, Armory, Digitalcoin, MultiDoge, Atomic, Namecoin, Florincoin, Freicoin, Terracoin, Dogecoin, GInfinitecoin, IOCoin, Franko, devcoin, ElectronCash, Binance, WalletWasabi, Mincoin, Megacoin 
Messenger  WhatsApp, Psi, Tox, Signal, Psi+, Telegram, Pidgin 
VPN  AzireVPN, NordVPN 
Password Manager  1Password, RoboForm, Bitwarden, NordPass 
Other Applications  GmailNotifierPro, To-Do DeskList, MySQL Workbench, AnyDesk, GHISLER, snowflake-ssh, Sticky Notes, Conceptworld’s Notezilla 

Latrodectus  

In October 2023, Walmart researchers published a blog about a malware named Latrodectus. Subsequently, this variant was analysed and discussed by other researchers at Proofpoint and Elastic. Latrodectus is a downloader that can execute commands received from a Command & Control (C&C) server. Researchers have also confirmed that it was developed by the creators of IcedID. Most of the Latrodectus behaviors observed in this campaign show similarities to those in previous campaigns. In this section, we summarize only the changes observed in the Latrodectus version 1.3. 

Like the previous campaign, the initial Command & Control (C&C) communication from the victim’s machine, which is base64 encoded and RC4 encrypted, is depicted in the figure below. 

Figure 9 – C&C Communication 

In this version, the TA has used a random string “1SJUf0qxxRVHjgWtVJDajSnFbT2glz9jy7qZE0au0MZPX3HOmf” as the key for encrypting the Command & Control (C&C) communication. In previous versions, the key used for encryption was “12345.” The figure below shows the decrypted content of its C&C communication using CyberChef. 

Figure 10 – decrypted content 

In version 1.3 of Latrodectus, the scheduled task created is configured to launch the malicious file every 10 minutes. In contrast, version 1.1 utilized a task scheduler set to execute the malicious file only at logon. This change in scheduling frequency indicates a shift towards more persistent and frequent execution of the malware in the newer version. 

Figure 11 – Scheduled task 

Additionally, the developers behind Latrodectus have added a new command in version 1.3. While version 1.1 had 11 commands, version 1.3 now includes 12 commands, as shown in the figure below, reflecting an enhancement in the malware’s functionality and capabilities. 

Figure 12 – BOT command IDs 

Conclusion 

This sophisticated phishing campaign illustrates the growing complexity of cyber threats, with attackers employing deceptive tactics to compromise users. By mimicking a legitimate Google Safety Centre page and distributing a malicious file disguised as Google Authenticator, the attackers deploy two distinct types of malware—Latrodectus and ACR Stealer—with targeted malicious purposes.  

ACR Stealer’s use of Dead Drop Resolver (DDR) to obscure its C&C server details highlights advanced evasion strategies. The continuous development of Latrodectus, including updated encryption and new commands, demonstrates the attackers’ persistent efforts to refine and enhance their malware. 

Recommendations 

  • Always download Google Authenticator directly from official sources, such as the Google Play Store or the Apple App Store, to ensure you are getting the legitimate app and avoid phishing scams. 
  • This campaign reaches users via malicious Google ads. Users should be cautious when interacting with ads and verify the authenticity of links before clicking. Organizations should consider monitoring ad platforms for suspicious activity and employing advanced threat detection tools to identify and block phishing attempts. 
  • The TA has created a phishing site posing as Google Safety Centre. To protect yourself, verify the legitimacy of websites by scrutinizing URLs and avoiding suspicious links.  
  • Conduct training sessions to educate users on recognizing phishing attempts and the risks of downloading files from untrusted sources. Emphasize the importance of verifying the legitimacy of websites and links before interaction. 
  • Use network security tools to monitor and block communications with known Command and Control (C&C) servers. Implement firewalls and intrusion detection systems to detect and prevent unauthorized access. 
  • Enable MFA on all accounts to add an extra layer of security and reduce the risk of unauthorized access even if credentials are compromised. 
  • Develop and maintain an incident response plan to quickly address and mitigate the impact of malware infections. Regularly test and update the plan to ensure effectiveness. 

MITRE ATT&CK® Techniques 

Tactic  Technique  Procedure 
Initial Access (TA0001 Phishing (T1566 Phishing website hosted a malicious binary as a legitimate application 
Defense Evasion(TA0005)   Obfuscated Files or Information: Software Packing (T1027.002 Payload is encrypted inside the Resource section 
Execution (TA0002 Native API (T1106 The NtCreateUserProcess() API is used to create a child process  
Execution, Persistence, Privilege Escalation  Scheduled Task/Job: Scheduled Task (T1053.005 Sets scheduled tasks using COM Object  
Defense Evasion (TA0005 Indicator Removal: File Deletion (T1070.004 Deletes itself from Temp dir 
Defense Evasion (TA0005 Obfuscated Files or Information: Dynamic API Resolution (T1027.007 Loads DLLs during runtime 
Discovery(TA0007 System Information Discovery (T1082 Checks for Windows version and running processes 
Command and Control (TA0011)   Application Layer Protocol: Web Protocols (T1071.001 Communicates to C&C over HTTP 
Collection (TA0009 Automated Collection (T1119 Collects Cryptocurrency wallet information 
Credential Access (TA0006 Credentials from Password Stores: Credentials from Web Browsers (T1555.003 Tries to collect credentials from browsers 
Credential Access (TA0006 Credentials from Password Stores: Password Managers (T1555.005 Tries to steal credentials from password managers 

Indicators Of Compromise 

Indicators  Indicator Type  Description 
62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830  SHA-256  GoogleAuthSetup.exe 
81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb  SHA-256   Latrodectus 
532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3  SHA-256   ACR Stealer 
hxxps://spikeliftall[.]com/live/  URL  C&C of Latrodectus 
hxxps://godfaetret[.]com/live/  URL  C&C of Latrodectus 
hxxps://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d URL  Config file of ACR Stealer 
googleaauthenticator[.]com  Domain  Phishing Site 

References

https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator
https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus
https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed

The post Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site  appeared first on Cyble.