Description
A recent cybersecurity investigation uncovered a malware distribution campaign called DeerStealer. The malware was disseminated through counterfeit Google Authenticator websites, tricking visitors into downloading the malicious payload hosted on GitHub. Upon execution, the stealer collects system information, encrypts it using XOR encryption, and sends it to a command-and-control server. Analysis suggests DeerStealer might be a rewritten version of the XFiles malware family, sharing some similarities but employing different techniques.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 2, 2024, 8:50 a.m. | Aug. 2, 2024, 8:50 a.m. | Aug. 2, 2024, 9:04 a.m. |
Indicators
e24c311a64f57fd16ffc98f339d5d537c16851dc54d7bb3db8778c26ccb5f2d1
d9db8cdef549e4ad0e33754d589a4c299e7082c3a0b5efdee1a0218a0a1bf1ee
b5ab21ddb7cb5bfbedee68296a3d98f687e9acd8ebcc4539f7fd234197de2227
cb08d8a7bca589704d20b421768ad01f7c38be0c3ea11b4b77777e6d0b5e5956
b116c1e0f92dca485565d5f7f3b572d7f01724062320597733b9dbf6dd84dee1
a6f6175998e96fcecad5f9b3746db5ced144ae97c017ad98b2caa9d0be8a3cb5
66282239297c60bad7eeae274e8a2916ce95afeb932d3be64bb615ea2be1e07a
5e2839553458547a92fff7348862063b30510e805a550e02d94a89bd8fd0768d
569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d
4640d425d8d43a95e903d759183993a87bafcb9816850efe57ccfca4ace889ec
Attack Patterns
XFiles
DeerStealer
T1587.003
T1497.001
T1012
T1059.007
T1497
T1071.001
T1518.001
T1204.002
T1105