A recent investigation by Cyble Research and Intelligence Lab (CRIL) revealed a new phishing scheme employed by Latrodectus and ACR Stealer.
This campaign involves a fraudulent website designed to mimic Google Safety Centre, aiming to deceive users into downloading malware masquerading as Google Authenticator. The malicious software delivered through this phishing site includes two notable threats: Latrodectus and ACR Stealer.
CRIL’s analysis reveals a sophisticated phishing operation leveraging a site, “googleaauthenticator[.]com,” closely resembling the genuine Google Safety Centre. The site’s objective is to trick users into downloading what appears to be a legitimate Google Authenticator app.
However, this file is actually a malicious executable that installs both Latrodectus and ACR Stealer on the victim’s system.
Decoding the Latrodectus and ACR Stealer Campaigns
Latrodectus and ACR Stealer are distinct types of malware each with specific functions intended to compromise security. ACR Stealer employs a technique known as the Dead Drop Resolver (DDR) to hide its Command and Control (C&C) server details.
It embeds this information in seemingly harmless places, like the Steam Community site, to evade detection. Latrodectus, on the other hand, shows signs of active development, including updates to its encryption methods and the addition of new commands, suggesting ongoing refinement and increased sophistication.
The phishing site uses Google’s trusted branding to lure users into downloading a file named “GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe.” Despite displaying a misleading “Unable to Install” error message, the file silently installs ACR Stealer and Latrodectus in the background.
Once activated, ACR Stealer exfiltrates sensitive information to its C&C server, while Latrodectus maintains persistence on the victim’s machine and conducts further malicious activities.
Technical Analysis of Latrodectus and ACR Stealer Campaigns
The downloaded file acts as a loader, digitally signed to appear legitimate. It utilizes encryption to obscure the payloads, which are decrypted and saved to the %temp% directory upon execution. Latrodectus and ACR Stealer are then activated from this directory.
The loader’s fake error message is designed to mislead users, making them believe the installation failed while the malware operates covertly.
Latrodectus is programmed to check if it’s running from the %appdata% directory; if not, it copies itself there and runs from this more secure location. Meanwhile, ACR Stealer, identified by its SHA-256 hash, starts a process to extract sensitive data and communicates with its C&C server via DDR.
This method obscures the server’s location by embedding it in legitimate platforms.
Recent Developments and Recommendations
In October 2023, researchers from Walmart highlighted Latrodectus in a blog post, noting its similarity to the IcedID malware. Updates to Latrodectus include changes to its encryption key and an increase in its command set from 11 to 12. The malware’s new version also features a more aggressive execution schedule, running every 10 minutes compared to previous versions that executed only at logon.
This phishing attack demonstrates the increasing complexity and sophistication of cyber threats. By imitating a trusted Google service and deploying Latrodectus and ACR Stealer, the attackers are employing advanced tactics to exploit user trust and compromise sensitive information.
To protect against such attacks, users should only download Google Authenticator from official sources like the Google Play Store or Apple App Store. They should be cautious of ads and verify links before clicking. Organizations should monitor ad platforms for suspicious activity and use advanced threat detection tools to identify phishing attempts.
It’s also crucial to verify website URLs, conduct user training on phishing recognition, and implement robust network security measures.