Fake Google Authenticator Sites Spreading DeerStealer Malware

Researchers from ANY RUN identified a malware distribution campaign dubbed DeerStealer that leverages deceptive websites masquerading as legitimate Google Authenticator download pages. 

The initial discovered website, “authentificcatorgoolglte[.]com,” closely resembles the authentic Google page “safety.google/intl/en_my/cybersecurity-advancements,” presumably to trick users into believing it’s a genuine source for the application. 

Clicking the “Download” button on this fake website triggers a two-fold malicious action: first, it transmits the visitor’s IP address and country information to a Telegram bot, likely for tracking and potential victim identification. 

Second, instead of downloading the actual Google Authenticator app, the website redirects users to a malicious file hosted on GitHub at the repository “github[.]com/ggle24/ggle2.” 

It likely contains the DeerStealer malware itself, disguised as a legitimate application. Once downloaded and executed, DeerStealer can potentially steal sensitive user data without their knowledge.  

On June 19, 2024, user “fedor_emeliyanenko_bog” launched the Telegram bot Tuc-tuc, which started logging messages that included the originating site and allowed for the extraction of active phishing sites connected to this campaign. 

Researchers have identified a list of domains associated with these phishing attacks by analyzing the chat history. 

The Delphi-based stealer, originating from GitHub, self-contains a malicious payload delivered via a Reedcode-signed file, which employs obfuscation to conceal its actions, including API calls wrapped in functions that retrieve addresses from global variables and utilize JMP RAX for execution. 

Additional obfuscation comes from numerous obscured constants within the code, complicating analysis. The payload runs directly in memory without creating a persistent file on the system. 

The analyzed sample in ANY.RUN exhibits the communication characteristics of a potential client connecting to a Command and Control (C2) server. 

The sample initiates communication by sending a POST request containing the device’s hardware ID (HWID) to the “paradiso4.fun” domain, which likely serves for authentication or registration purposes.  

Following the server’s response, the sample transmits data in subsequent one-way POST requests, suggesting a potential data exfiltration attempt or reporting functionality to the C2 server. 

Analysis of the sent data reveals a high frequency of the byte 0xC, suggesting single-byte XOR encryption with a key of 0xC due to XOR’s properties with zero. 

Easily analyze malware in ANY.RUN sandbox – Register for Free

Decryption using CyberChef successfully uncovers PKZip archives containing system information like hostnames, processor details, and running processes, confirming the encryption method and indicating potential data exfiltration or system monitoring activities. 

Researchers identified a YARA rule matching a DeerStealer sample, subsequently discovering two similar samples linked to the XFiles family, sharing the common tactic of using fake, legitimate software sites for distribution. 

While DeerStealer is a compiled machine-code application, XFiles is a .NET-based malware that employs staged C2 communication, sending HWID initially before data transmission, unlike XFiles’ single POST request. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

 IOCs