Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site
Aug. 20, 2024, 9:25 a.m.
Tags
External References
Description
The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persistence and collects user data; and ACR Stealer, which employs Dead Drop Resolver to obscure its Command and Control server. Latrodectus shows ongoing development with encryption key updates and new commands.
Date
Published: Aug. 20, 2024, 9:06 a.m.
Created: Aug. 20, 2024, 9:06 a.m.
Modified: Aug. 20, 2024, 9:25 a.m.
Indicators
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb
62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830
532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
https://webipanalyzer.com/GoogleAuthSetup.exe
https://spikeliftall.com/live/
https://godfaetret.com/live/
https://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d
spikeliftall.com
webipanalyzer.com
googleaauthenticator.com
geotravelsgi.xyz
godfaetret.com
Attack Patterns
ACR Stealer
Latrodectus
T1555.005
T1053.005
T1119
T1555.003
T1027.002
T1071.001
T1070.004
T1106
T1082
T1566
CVE-2017-11882
CVE-2024-21412
CVE-2024-21893
CVE-2024-21887
CVE-2023-46805
CVE-2021-44228