Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Google Safety Phishing Scam – Malware

February 12, 2025
Reading Time: 4 mins read
in Malware
Google Safety Phishing Scam – Malware

Google Safety Phishing Scam

Type of Malware

Trojan
Infostealer

Date of Initial Activity

2024

Motivation

Data Theft

Attack Vectors

Phishing

Targeted Systems

Windows

Type of Information Stolen

Communication Data
Login Credentials
System Information
Browser Data

Overview

A new phishing scam, uncovered on August 13, 2024, is exploiting the trusted Google Safety Centre brand to deceive users into downloading malicious software. The phishing campaign targets individuals by impersonating Google’s official communications, urging them to download an update for Google Authenticator, a widely-used two-factor authentication (2FA) app. The file, disguised as an update, contains two types of malware—Latrodectus and ACR Stealer—designed to deliver remote access to the victim’s device and steal sensitive information. This campaign represents a more advanced form of cyberattack, using social engineering and sophisticated evasion techniques to trick users into compromising their security. By capitalizing on the trust many users place in Google’s services, the attackers have crafted a convincing message that pushes the urgency of an “important update.” This approach is not only effective in gaining victims’ trust but also enables the malware to spread quickly, targeting a wide range of users, from individuals to organizations. The file that masquerades as a simple update to the popular authenticator app actually installs Latrodectus, a downloader malware that enables attackers to execute commands remotely, and ACR Stealer, which steals user credentials and banking information.

Targets

Individuals

How they operate

The first step of the attack involves a social engineering strategy where the victim receives a phishing email posing as a legitimate notification from Google’s Safety Centre. The email urges the user to download a file named Google Authenticator, a common app used for two-factor authentication. This file, however, contains malware designed to execute malicious payloads. Upon downloading and opening the file, the malware is triggered, and the system is compromised. The malicious file acts as a downloader, which then contacts a remote server to fetch additional malicious code, initiating a chain of command that further compromises the victim’s system. Once Latrodectus, the downloader malware, is executed, it establishes communication with the C&C server to retrieve additional instructions or payloads. This malware is highly modular, meaning it can fetch various payloads depending on the attacker’s goals, such as spyware or ransomware. In this case, the second stage payload, ACR Stealer, is downloaded onto the victim’s machine. ACR Stealer is designed to exfiltrate sensitive information, including login credentials, financial data, and other personal information. The stealer malware specifically targets browser-stored credentials and login information, such as saved passwords, making it a highly effective tool for attackers looking to steal data from web applications and financial websites. A key aspect of this scam is its use of the Dead Drop Resolver, a technique employed by ACR Stealer to conceal its C&C server details. This method helps evade detection by security tools that attempt to trace the malware’s communications. The Dead Drop Resolver essentially acts as a masking mechanism, making it more difficult for security systems to trace the malware’s origin or stop it. This evasion technique is part of a broader strategy to ensure the malware remains active on the victim’s system without detection. The malware also employs various tactics to maintain persistence, allowing the attackers to retain access to the compromised system. It may establish mechanisms like scheduled tasks or registry modifications to ensure that the malware remains active, even after system reboots or user interventions. The attackers’ ability to maintain access for extended periods increases the risk of further exploitation, allowing the malware to silently steal data or perform additional malicious actions without the victim’s knowledge.

MITRE Tactics and Techniques

Initial Access (T1071) – Phishing: The attack begins with a phishing email that impersonates the Google Safety Centre, tricking users into downloading a malicious file. This aligns with the Phishing technique, where attackers use deceptive emails to lure users into executing malicious payloads. Execution (T1203) – Exploitation of Vulnerability in Software: Once the malicious file is downloaded, it executes the Latrodectus malware and ACR Stealer. This could involve exploiting vulnerabilities in the user’s system or in commonly used software (like Google Authenticator), leading to the execution of the payload. Persistence (T1053) – Scheduled Task/Job: The malware may use scheduled tasks or similar mechanisms to ensure that it persists across system reboots. This helps maintain the attacker’s access to the compromised device. Privilege Escalation (T1078) – Valid Accounts: If the malware is designed to steal credentials (such as ACR Stealer), it could allow the attacker to escalate privileges by gaining access to user credentials, including login information for various accounts. Credential Access (T1081) – Credentials from Web Browsers: ACR Stealer specifically targets stored credentials, banking details, and other sensitive information, which could include information saved in web browsers. This aligns with the Credentials from Web Browsers technique. Command and Control (T1071) – Application Layer Protocol: The Latrodectus downloader establishes communication with a command-and-control (C&C) server, which is likely using a web-based protocol (such as HTTP/HTTPS) to issue commands. This is consistent with Application Layer Protocol communication. Exfiltration (T1041) – Exfiltration Over Command and Control Channel: The malware is designed to steal and exfiltrate sensitive data, including user credentials and possibly other personal information, back to the attacker’s C&C server. This is indicative of Exfiltration Over C&C Channel. Evasion (T1070) – Indicator Removal on Host: The ACR Stealer’s use of Dead Drop Resolver to obscure its C&C server details is an example of evasion, making detection and mitigation more difficult. This is associated with techniques that try to remove or obscure traces of malicious activity.  
References:
  • Phishing campaign impersonates Google Safety Centre
Tags: ACR StealerGoogleGoogle Safety Phishing ScamInfostealersLatrodectusMalwarePhishingScamsTrojansWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial