DeerStealer Uses Google Authenticator as a Trojan Horse

Overview

DeerStealer is a recent and increasingly concerning information-stealing malware. It has gained notoriety for its use of deceptive distribution methods, specifically by disguising itself as legitimate applications such as Google Authenticator. The malware is typically spread through fake advertisements and malicious downloads. Once installed, DeerStealer harvests sensitive data including login credentials, credit card information, and personal details from infected systems.

Recent Distribution Campaign

A recent malware distribution campaign involving DeerStealer was uncovered, wherein the malware was spread via fake Google Authenticator websites. These fake sites closely mimic the legitimate Google Authenticator download page, tricking users into downloading what they believe to be a legitimate application. Upon clicking the "Download" button on these sites, users are redirected to a malicious GitHub repository hosting the DeerStealer malware. Additionally, the site sends the visitor’s IP address and country to a Telegram bot, likely for victim tracking and identification.

Indicators of Compromise (IOCs)

File Hashes:

• 4640d425d8d43a95e903d759183993a87bafcb9816850efe57ccfca4ace889ec
• 569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d
• 5e2839553458547a92fff7348862063b30510e805a550e02d94a89bd8fd0768d
• 66282239297c60bad7eeae274e8a2916ce95afeb932d3be64bb615ea2be1e07a

Domains:

• authentificcatorgoolglte[.]com (Fake Google Authenticator site)
• chromeweb-authenticators[.]com (Another fake Authenticator site)
• paradiso4[.]fun (C2 domain)
• vaniloin[.]fun (C2 domain)

Relation to XFiles Malware

DeerStealer has been found to share similarities with the XFiles malware family. Both malware types use fake legitimate software sites for distribution. However, while XFiles is a .NET-based malware employing staged C2 communication, DeerStealer is a compiled machine-code application. The similarity in tactics suggests a potential overlap or evolution in cybercriminal strategies.

Mitigation Strategies

• Avoid Clicking on Promoted Search Results: Users should avoid clicking on ads in search results, particularly for downloading software. Instead, navigate directly to official websites.
• Use Ad Blockers: Employing ad blockers can prevent exposure to malicious ads.
• Verify URLs: Always verify that download URLs match the official domain before downloading any software.
• Scan Downloads: Use updated antivirus software to scan all downloads before execution.

Sources

• Cybersecurity News
• Red Piranha
• Broadcom Security Bulletin
• Any.Run