Back

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

Aug. 20, 2024, 9:25 a.m.

Tags

malware
phishing
stealer
latrodectus
downloader
cybersecurity
acr stealer
2024-08-20

External References

https://cyble.com/

https://otx.alienvault.com/

Description

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persistence and collects user data; and ACR Stealer, which employs Dead Drop Resolver to obscure its Command and Control server. Latrodectus shows ongoing development with encryption key updates and new commands.

Date

Published Created Modified
Aug. 20, 2024, 9:06 a.m. Aug. 20, 2024, 9:06 a.m. Aug. 20, 2024, 9:25 a.m.

Indicators

c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb

62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830

532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3

a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

https://webipanalyzer.com/GoogleAuthSetup.exe

https://spikeliftall.com/live/

https://godfaetret.com/live/

https://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d

Attack Patterns

ACR Stealer

Latrodectus

T1555.005

T1053.005

T1119

T1555.003

T1027.002

T1071.001

T1070.004

T1106

T1082

T1566

CVE-2017-11882

CVE-2024-21412

CVE-2024-21893

CVE-2024-21887

CVE-2023-46805

CVE-2021-44228