Google Safety Phishing Scam – Malware

Overview

A new phishing scam, uncovered on August 13, 2024, is exploiting the trusted Google Safety Centre brand to deceive users into downloading malicious software. The phishing campaign targets individuals by impersonating Google’s official communications, urging them to download an update for Google Authenticator, a widely-used two-factor authentication (2FA) app. The file, disguised as an update, contains two types of malware—Latrodectus and ACR Stealer—designed to deliver remote access to the victim’s device and steal sensitive information. This campaign represents a more advanced form of cyberattack, using social engineering and sophisticated evasion techniques to trick users into compromising their security. By capitalizing on the trust many users place in Google’s services, the attackers have crafted a convincing message that pushes the urgency of an “important update.” This approach is not only effective in gaining victims’ trust but also enables the malware to spread quickly, targeting a wide range of users, from individuals to organizations. The file that masquerades as a simple update to the popular authenticator app actually installs Latrodectus, a downloader malware that enables attackers to execute commands remotely, and ACR Stealer, which steals user credentials and banking information.

Targets

Individuals

How they operate

The first step of the attack involves a social engineering strategy where the victim receives a phishing email posing as a legitimate notification from Google’s Safety Centre. The email urges the user to download a file named Google Authenticator, a common app used for two-factor authentication. This file, however, contains malware designed to execute malicious payloads. Upon downloading and opening the file, the malware is triggered, and the system is compromised. The malicious file acts as a downloader, which then contacts a remote server to fetch additional malicious code, initiating a chain of command that further compromises the victim’s system. Once Latrodectus, the downloader malware, is executed, it establishes communication with the C&C server to retrieve additional instructions or payloads. This malware is highly modular, meaning it can fetch various payloads depending on the attacker’s goals, such as spyware or ransomware. In this case, the second stage payload, ACR Stealer, is downloaded onto the victim’s machine. ACR Stealer is designed to exfiltrate sensitive information, including login credentials, financial data, and other personal information. The stealer malware specifically targets browser-stored credentials and login information, such as saved passwords, making it a highly effective tool for attackers looking to steal data from web applications and financial websites. A key aspect of this scam is its use of the Dead Drop Resolver, a technique employed by ACR Stealer to conceal its C&C server details. This method helps evade detection by security tools that attempt to trace the malware’s communications. The Dead Drop Resolver essentially acts as a masking mechanism, making it more difficult for security systems to trace the malware’s origin or stop it. This evasion technique is part of a broader strategy to ensure the malware remains active on the victim’s system without detection. The malware also employs various tactics to maintain persistence, allowing the attackers to retain access to the compromised system. It may establish mechanisms like scheduled tasks or registry modifications to ensure that the malware remains active, even after system reboots or user interventions. The attackers’ ability to maintain access for extended periods increases the risk of further exploitation, allowing the malware to silently steal data or perform additional malicious actions without the victim’s knowledge.

MITRE Tactics and Techniques

Initial Access (T1071) – Phishing: The attack begins with a phishing email that impersonates the Google Safety Centre, tricking users into downloading a malicious file. This aligns with the Phishing technique, where attackers use deceptive emails to lure users into executing malicious payloads. Execution (T1203) – Exploitation of Vulnerability in Software: Once the malicious file is downloaded, it executes the Latrodectus malware and ACR Stealer. This could involve exploiting vulnerabilities in the user’s system or in commonly used software (like Google Authenticator), leading to the execution of the payload. Persistence (T1053) – Scheduled Task/Job: The malware may use scheduled tasks or similar mechanisms to ensure that it persists across system reboots. This helps maintain the attacker’s access to the compromised device. Privilege Escalation (T1078) – Valid Accounts: If the malware is designed to steal credentials (such as ACR Stealer), it could allow the attacker to escalate privileges by gaining access to user credentials, including login information for various accounts. Credential Access (T1081) – Credentials from Web Browsers: ACR Stealer specifically targets stored credentials, banking details, and other sensitive information, which could include information saved in web browsers. This aligns with the Credentials from Web Browsers technique. Command and Control (T1071) – Application Layer Protocol: The Latrodectus downloader establishes communication with a command-and-control (C&C) server, which is likely using a web-based protocol (such as HTTP/HTTPS) to issue commands. This is consistent with Application Layer Protocol communication. Exfiltration (T1041) – Exfiltration Over Command and Control Channel: The malware is designed to steal and exfiltrate sensitive data, including user credentials and possibly other personal information, back to the attacker’s C&C server. This is indicative of Exfiltration Over C&C Channel. Evasion (T1070) – Indicator Removal on Host: The ACR Stealer’s use of Dead Drop Resolver to obscure its C&C server details is an example of evasion, making detection and mitigation more difficult. This is associated with techniques that try to remove or obscure traces of malicious activity.  

References:

• Phishing campaign impersonates Google Safety Centre