{"id":8460,"date":"2024-07-31T09:30:11","date_gmt":"2024-07-31T09:30:11","guid":{"rendered":"\/cybersecurity-blog\/?p=8460"},"modified":"2024-08-20T09:37:07","modified_gmt":"2024-08-20T09:37:07","slug":"deerstealer-campaign-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/deerstealer-campaign-analysis\/","title":{"rendered":"Brief Overview of the DeerStealer Distribution Campaign\u00a0"},"content":{"rendered":"\n

Our team recently uncovered a malware distribution campaign for a threat we’ve named DeerStealer. <\/p>\n\n\n\n

The malware was spread through fake Google Authenticator websites, captured in this analysis session<\/a>. <\/p>\n\n\n\n

The site appears to be a Google page offering the application for download. The first site we discovered, authentificcatorgoolglte[.]com,<\/strong> mimics safety.google\/intl\/en_my\/cybersecurity-advancements<\/strong>: <\/p>\n\n\n

\n
\"\"
Example of fake site<\/em> <\/figcaption><\/figure><\/div>\n\n\n

Clicking the Download button sends visitor information (IP address and country) to a Telegram bot. <\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

Then it downloads the stealer hosted on GitHub at this link: github[.]com\/ggle24\/ggle2<\/strong><\/p>\n\n\n

\n
\"\"
Stealer hosted on Github<\/em> <\/figcaption><\/figure><\/div>\n\n
\n
\"\"
JavaScript code that sends visitor information to the Telegram bot when the file is downloaded<\/em> <\/figcaption><\/figure><\/div>\n\n\n

Telegram Bot <\/h2>\n\n\n\n

The bot is called Tuc-tuc. Here\u2019s the information about the Telegram bot owner: <\/p>\n\n\n\n

    { \n      \"user\": { \n        \"id\": 6514377088, \n        \"is_bot\": false, \n        \"first_name\": \"fedor\", \n        \"last_name\": \"emeliyanenko\", \n        \"username\": \"fedor_emeliyanenko_bog\", \n        \"language_code\": \"ru\", \n        \"is_premium\": true \n      }, \n      \"status\": \"creator\", \n      \"is_anonymous\": false \n    }<\/code><\/pre>\n\n\n\n
The bot’s logging looks like this: <\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n\n
The first message was sent on Wednesday, June 19, 2024, at 10:52:39.  <\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Since each message contains the site it came from, we parsed the chat to obtain all active phishing sites in this campaign.<\/p>\n\n\n\n\n
\n\n
\nEasily analyze malware in ANY.RUN sandbox<\/span> \n<\/p>\n\n\nRegister for free\u00a0\n<\/a>\n<\/div>\n\n\n\n