Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site
Aug. 20, 2024, 9:25 a.m.
Description
The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persistence and collects user data; and ACR Stealer, which employs Dead Drop Resolver to obscure its Command and Control server. Latrodectus shows ongoing development with encryption key updates and new commands.
Tags
Date
- Created: Aug. 20, 2024, 9:06 a.m.
- Published: Aug. 20, 2024, 9:06 a.m.
- Modified: Aug. 20, 2024, 9:25 a.m.
Indicators
- c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
- 81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb
- 62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830
- 532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3
- a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
- 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
- https://webipanalyzer.com/GoogleAuthSetup.exe
- https://spikeliftall.com/live/
- https://godfaetret.com/live/
- https://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d
- spikeliftall.com
- webipanalyzer.com
- googleaauthenticator.com
- geotravelsgi.xyz
- godfaetret.com
Attack Patterns
- ACR Stealer
- Latrodectus
- T1555.005
- T1053.005
- T1119
- T1555.003
- T1027.002
- T1071.001
- T1070.004
- T1106
- T1082
- T1566