ANY.RUN Uncovers DeerStealer Malware Campaign Exploiting Fake Google Authenticator Websites
DUBAI, DUBAI, UNITED ARAB EMIRATES, July 31, 2024 /EINPresswire.com/ -- ANY.RUN, a trusted provider of cybersecurity solutions, has revealed a new malware distribution campaign. This campaign uses fake Google Authenticator websites to spread DeerStealer malware.
𝐃𝐞𝐞𝐫𝐒𝐭𝐞𝐚𝐥𝐞𝐫: 𝐀 𝐍𝐞𝐰 𝐓𝐡𝐫𝐞𝐚𝐭 𝐃𝐢𝐬𝐠𝐮𝐢𝐬𝐞𝐝 𝐚𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐨𝐫
DeerStealer, detected by ANY.RUN's expert team, is distributed through fraudulent websites designed to mimic official Google Authenticator websites. These deceptive sites trick users into downloading malware. When users click the Download button, their information is sent to a Telegram bot named Tuc-tuc before the malware is downloaded from GitHub.
𝐈𝐧-𝐃𝐞𝐩𝐭𝐡 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐨𝐟 𝐃𝐞𝐞𝐫𝐒𝐭𝐞𝐚𝐥𝐞𝐫
ANY.RUN’s team conducted a comprehensive analysis of the DeerStealer malware. Key findings include:
• Fake site analysis: Attackers are using websites mimicking legitimate Google pages, tricking users into downloading the malware.
• Telegram bot logging: The bot logs visitor information, including IP addresses and countries.
• Stealer on GitHub: The malware, hosted on GitHub, is written in Delphi and executes directly in memory, employing obfuscation techniques to avoid detection.
• C2 communication: The malware communicates with a C2 server, sending encrypted data using single-byte XOR encryption.
𝐈𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐫𝐨𝐟𝐞𝐬𝐬𝐢𝐨𝐧𝐚𝐥𝐬
Cybersecurity experts can use this analysis to study the behavior of the DeerStealer malware and collect Indicators of Compromise (IOCs) identified by ANY.RUN's experts.
For more information on the malware campaign, visit the ANY.RUN blog.
𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍
ANY.RUN offers a comprehensive suite of cybersecurity products, including an interactive sandbox and a Threat Intelligence portal. Trusted by over 400,000 professionals globally, the sandbox provides an efficient and user-friendly platform for analyzing malware targeting both Windows and Linux systems. Additionally, ANY.RUN's Threat Intelligence services, comprising Lookup, Feeds, and YARA Search, enable users to gather critical information about threats and respond to incidents with enhanced speed and accuracy.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
X
1 https://any.run/?utm_source=ein&utm_medium=press_release&utm_campaign=deerstealer&utm_content=landing&utm_term=31072024
2 https://any.run/cybersecurity-blog/deerstealer-campaign-analysis/?utm_source=ein&utm_medium=press_release&utm_campaign=deerstealer&utm_content=blog&utm_term=31072024