Pulse Detail — Threat Intelligence

PULSE NAME

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

WHITE AlienVault 2024-08-20 Modified: 2024-08-20

IOCs

MEDIUM VOLUME

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persistence and collects user data; and ACR Stealer, which employs Dead Drop Resolver to obscure its Command and Control server. Latrodectus shows ongoing development with encryption key updates and new commands.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1053.005 T1119 T1555.005 T1082 T1106 T1555.003 T1566 T1070.004 T1027.002 T1071.001

MALWARE FAMILIES

Latrodectus ACR Stealer

Indicators of Compromise (3 / 27 total)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	2915b3f8b703eb744fc54c81f4a9c67f	—	2024-08-20
FileHash-MD5	7bdbd180c081fa63ca94f9c22c457376	—	2024-08-20
FileHash-MD5	8c69830a50fb85d8a794fa46643493b2	—	2024-08-20

References (1)

↗ https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/