DeerStealer | |
Type of Malware | Infostealer |
Date of Initial Activity | 2024 |
Motivation | Data Theft |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Type of Information Stolen | Login Credentials |
Overview
A newly identified malware campaign is spreading a variant of the DeerStealer infostealer, posing significant risks to users worldwide. This malicious software is disguised as a fake Google Authenticator app, tricking users into downloading and installing it from GitHub repositories. Once installed, DeerStealer covertly collects sensitive information from compromised devices and sends it to attackers’ command-and-control (C2) servers. By mimicking a widely used security tool, the malware capitalizes on users’ trust and reliance on two-factor authentication (2FA) apps, making it particularly dangerous.
DeerStealer is written in the Delphi programming language, a choice that reflects its developers’ focus on creating efficient, evasive malware. It targets a broad range of confidential data, including login credentials, financial information, and personal documents, which are extracted and packaged into encrypted PKZIP archives before exfiltration. This approach allows cybercriminals to maximize the amount of data they can steal from each victim, further exacerbating the potential impact of the attack.
Targets
Individuals
How they operate
At its core, DeerStealer is written in the Delphi programming language, which allows it to operate efficiently on Windows systems. Upon execution, the malware begins by collecting a variety of sensitive information, including login credentials, browser cookies, and personal data stored locally. One of its primary techniques involves scanning web browsers and applications for saved passwords and cookies, which are often stored in easily accessible databases or directories. Using Delphi’s robust file manipulation capabilities, DeerStealer extracts this data, packaging it into encrypted PKZIP archives for transmission to its command-and-control (C2) servers.
To exfiltrate the stolen data, DeerStealer establishes communication with its C2 infrastructure, typically using web-based protocols like HTTP or HTTPS. These protocols allow the malware to send encrypted archives back to the attackers without raising suspicion. Since the malware mimics a trusted application, most users are unaware of any unusual activity, enabling DeerStealer to operate covertly over extended periods.
Beyond its data collection capabilities, DeerStealer employs several techniques to maintain persistence and evade detection. It may create registry keys or schedule tasks that ensure it automatically runs each time the system boots up. Additionally, the malware can obfuscate its binary to avoid detection by antivirus software or endpoint protection solutions. By disguising its processes or using trusted system utilities to execute its code, DeerStealer increases the likelihood of bypassing security defenses.
To further complicate detection, the malware operates under the guise of a legitimate security tool—Google Authenticator. This tactic capitalizes on the trust users place in such tools, encouraging them to unknowingly compromise their own systems. By the time a user realizes they have downloaded a fake app, DeerStealer has already harvested sensitive data and sent it off to the attackers.
In conclusion, DeerStealer represents a well-crafted, technically advanced piece of malware designed to target confidential data while avoiding detection. Its use of familiar platforms like GitHub for distribution, coupled with its ability to masquerade as a legitimate application, makes it especially dangerous. For both individuals and organizations, awareness of these technical operations is critical to preventing infections and ensuring robust cybersecurity defenses.
MITRE Tactics and Techniques
Initial Access (TA0001):
The malware is distributed through fake Google Authenticator websites, a form of Drive-by Compromise (T1189) or Spearphishing Attachment (T1566.001). Attackers rely on users to download and install the fake app, which serves as the initial point of compromise.
Execution (TA0002):
After the user installs the fake app, the malware is executed on the device. Techniques like User Execution (T1204) are leveraged, where the malware relies on the user to initiate the installation of what appears to be legitimate software.
Persistence (TA0003):
The malware likely employs techniques to maintain persistence on the compromised system. Registry Run Keys/Startup Folder (T1547.001) or Scheduled Task/Job (T1053) could be used to ensure the malware survives reboots and continues collecting data.
Defense Evasion (TA0005):
To evade detection, DeerStealer may use methods like Obfuscated Files or Information (T1027) or Binary Padding (T1027.001) to avoid detection by antivirus software or endpoint security solutions. It might also take advantage of Trusted Developer Utilities Proxy Execution (T1218) to run under the guise of legitimate processes.
Credential Access (TA0006):
The primary goal of DeerStealer is to harvest sensitive information, including credentials. It might use techniques like Input Capture (T1056), Credential Dumping (T1003), or Keylogging (T1056.001) to steal login credentials, cookies, and other authentication tokens.
Collection (TA0009):
DeerStealer gathers sensitive data, which includes login credentials and personal information from browsers and other applications. This can involve Data from Local System (T1005) and Data from Information Repositories (T1213), targeting files stored on the endpoint.
Exfiltration (TA0010):
Once collected, the malware exfiltrates the data back to command-and-control servers. This is done using techniques like Exfiltration Over C2 Channel (T1041), packaging the data into PKZIP archives before transmission to the attacker-controlled infrastructure.
Command and Control (TA0011):
The malware communicates with external servers controlled by attackers. Web Protocols (T1071.001), like HTTP or HTTPS, are often used for command-and-control communication, allowing attackers to issue commands and receive stolen data.