A new phishing scheme orchestrated by Latrodectus and ACR Stealer has been unearthed in a recent investigation conducted by Cyble Research and Intelligence Lab (CRIL). The modus operandi of this malicious campaign involves a fraudulent website posing as the Google Safety Centre to lure unsuspecting users into downloading malware disguised as the Google Authenticator app. The malware deployed through this phishing site includes two notorious threats: Latrodectus and ACR Stealer.
CRIL’s analysis of this elaborate phishing operation unveiled a website named “googleaauthenticator[.]com” that closely imitates the authentic Google Safety Centre. The primary goal of this site is to deceive users into downloading what appears to be a legitimate Google Authenticator app. However, the file actually contains a malicious executable that installs both Latrodectus and ACR Stealer on the victim’s system.
Latrodectus and ACR Stealer are distinct malware variants, each equipped with specific functionalities aimed at compromising security. ACR Stealer utilizes a technique called the Dead Drop Resolver (DDR) to conceal its Command and Control (C&C) server details by embedding them in inconspicuous locations like the Steam Community site. On the other hand, Latrodectus displays signs of ongoing development, with updates to its encryption methods and the introduction of new commands, indicating continuous refinement and enhanced sophistication.
The phishing site leverages Google’s well-known branding to entice users into downloading a file named “GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe.” Despite showing a misleading “Unable to Install” error message, the file covertly installs ACR Stealer and Latrodectus on the victim’s system. Once activated, ACR Stealer exfiltrates sensitive information to its C&C server, while Latrodectus establishes persistence on the victim’s machine to carry out further malicious activities.
A technical analysis of the Latrodectus and ACR Stealer campaigns reveals that the downloaded file acts as a loader, digitally signed to appear legitimate. This loader employs encryption to obfuscate the payloads, which are decrypted and stored in the %temp% directory upon execution, from where Latrodectus and ACR Stealer are activated. The fake error message displayed by the loader is designed to mislead users into believing that the installation failed while the malware operates surreptitiously.
Latrodectus checks if it’s running from the %appdata% directory and copies itself there for enhanced security. Meanwhile, ACR Stealer communicates with its C&C server via DDR to extract sensitive data, obscuring the server’s location by embedding it in legitimate platforms.
Recent developments, as highlighted by Walmart researchers in October 2023, shed light on Latrodectus’s resemblance to the IcedID malware and its updated features, including changes to encryption keys and enhanced execution schedules. The use of advanced tactics like mimicking a trusted Google service and deploying Latrodectus and ACR Stealer underscores the increasing complexity and sophistication of cyber threats posed by attackers looking to exploit user trust and compromise sensitive information.
To mitigate the risk of such attacks, users are advised to download Google Authenticator only from official sources like the Google Play Store or Apple App Store, exercise caution with ads, verify links before clicking, and organizations should employ advanced threat detection tools, monitor ad platforms for suspicious activity, and implement robust network security measures. Additionally, verifying website URLs, providing user training on phishing awareness, and bolstering network security defenses are essential measures to safeguard against phishing attempts and cyber threats.