example of fake site
Clicking the “Download” button on this fake website triggers a two-fold malicious action: first, it transmits the visitor’s IP address and country information to a Telegram bot, likely for tracking and potential victim identification.
Second, instead of downloading the actual Google Authenticator app, the website redirects users to a malicious file hosted on GitHub at the repository “github[.]com/ggle24/ggle2.”
It likely contains the DeerStealer malware itself, disguised as a legitimate application. Once downloaded and executed, DeerStealer can potentially steal sensitive user data without their knowledge.
JavaScript code that sends visitor information to the Telegram bot when the file is downloaded
On June 19, 2024, user “fedor_emeliyanenko_bog” launched the Telegram bot Tuc-tuc, which started logging messages that included the originating site and allowed for the extraction of active phishing sites connected to this campaign.
Researchers have identified a list of domains associated with these phishing attacks by analyzing the chat history.
Fake Domains
The Delphi-based stealer, originating from GitHub, self-contains a malicious payload delivered via a Reedcode-signed file, which employs obfuscation to conceal its actions, including API calls wrapped in functions that retrieve addresses from global variables and utilize JMP RAX for execution.
Additional obfuscation comes from numerous obscured constants within the code, complicating analysis. The payload runs directly in memory without creating a persistent file on the system.
Sample information
The sample initiates communication by sending a POST request containing the device’s hardware ID (HWID) to the “paradiso4.fun” domain, which likely serves for authentication or registration purposes.
Following the server’s response, the sample transmits data in subsequent one-way POST requests, suggesting a potential data exfiltration attempt or reporting functionality to the C2 server.
Encrypted data from traffic
Analysis of the sent data reveals a high frequency of the byte 0xC, suggesting single-byte XOR encryption with a key of 0xC due to XOR’s properties with zero.
Decryption using CyberChef successfully uncovers PKZip archives containing system information like hostnames, processor details, and running processes, confirming the encryption method and indicating potential data exfiltration or system monitoring activities.
New XFiles version release
Researchers identified a YARA rule matching a DeerStealer sample, subsequently discovering two similar samples linked to the XFiles family, sharing the common tactic of using fake, legitimate software sites for distribution.
While DeerStealer is a compiled machine-code application, XFiles is a .NET-based malware that employs staged C2 communication, sending HWID initially before data transmission, unlike XFiles’ single POST request.
IOCs
4640d425d8d43a95e903d759183993a87bafcb9816850efe57ccfca4ace889ec 569ac32f692253b8ab7f411fec83f31ed1f7be40ac5c4027f41a58073fef8d7d 5e2839553458547a92fff7348862063b30510e805a550e02d94a89bd8fd0768d 66282239297c60bad7eeae274e8a2916ce95afeb932d3be64bb615ea2be1e07aa6f6175998e96fcecad5f9b3746db5ced144ae97c017ad98b2caa9d0be8a3cb5b116c1e0f92dca485565d5f7f3b572d7f01724062320597733b9dbf6dd84dee1b5ab21ddb7cb5bfbedee68296a3d98f687e9acd8ebcc4539f7fd234197de2227 cb08d8a7bca589704d20b421768ad01f7c38be0c3ea11b4b77777e6d0b5e5956 d9db8cdef549e4ad0e33754d589a4c299e7082c3a0b5efdee1a0218a0a1bf1eeE24c311a64f57fd16ffc98f339d5d537c16851dc54d7bb3db8778c26ccb5f2d1
