Pulse Detail — Threat Intelligence

PULSE NAME

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

WHITE AlienVault 2024-08-20 Modified: 2024-08-20

IOCs

MEDIUM VOLUME

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persistence and collects user data; and ACR Stealer, which employs Dead Drop Resolver to obscure its Command and Control server. Latrodectus shows ongoing development with encryption key updates and new commands.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1053.005 T1119 T1555.005 T1082 T1106 T1555.003 T1566 T1070.004 T1027.002 T1071.001

MALWARE FAMILIES

Latrodectus ACR Stealer

Indicators of Compromise (27)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2017-11882	—	2024-08-20
CVE	CVE-2021-44228	—	2024-08-20
CVE	CVE-2023-46805	—	2024-08-20
CVE	CVE-2024-21412	—	2024-08-20
CVE	CVE-2024-21887	—	2024-08-20
CVE	CVE-2024-21893	—	2024-08-20
FileHash-MD5	2915b3f8b703eb744fc54c81f4a9c67f	—	2024-08-20
FileHash-MD5	7bdbd180c081fa63ca94f9c22c457376	—	2024-08-20
FileHash-MD5	8c69830a50fb85d8a794fa46643493b2	—	2024-08-20
FileHash-SHA1	bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c	—	2024-08-20
FileHash-SHA1	e10361a11f8a7f232ac3cb2125c1875a0a69a3e4	—	2024-08-20
FileHash-SHA1	e6d06bb9afaeb8aa80e62e76a26c7cffd14497f6	—	2024-08-20
FileHash-SHA256	532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3	—	2024-08-20
FileHash-SHA256	62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830	—	2024-08-20
FileHash-SHA256	81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb	—	2024-08-20
FileHash-SHA256	9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507	—	2024-08-20
FileHash-SHA256	a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91	—	2024-08-20
FileHash-SHA256	c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0	—	2024-08-20
URL	https://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d	—	2024-08-20
URL	https://godfaetret.com/live/	—	2024-08-20
URL	https://spikeliftall.com/live/	—	2024-08-20
URL	https://webipanalyzer.com/GoogleAuthSetup.exe	—	2024-08-20
domain	geotravelsgi.xyz	—	2024-08-20
domain	godfaetret.com	—	2024-08-20
domain	googleaauthenticator.com	—	2024-08-20
domain	spikeliftall.com	—	2024-08-20
domain	webipanalyzer.com	—	2024-08-20

References (1)

↗ https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/