{
  "name": "Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site",
  "slug": "double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site",
  "description": "The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persistence and collects user data; and ACR Stealer, which employs Dead Drop Resolver to obscure its Command and Control server. Latrodectus shows ongoing development with encryption key updates and new commands.",
  "published": "2024-08-20T07:06:29+00:00",
  "created_at": "2024-08-20T07:06:29+00:00",
  "modified_at": "2024-08-20T07:25:45+00:00",
  "created_at_opencti": "2024-08-20T07:06:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-08-20",
    "acr stealer",
    "cybersecurity",
    "downloader",
    "latrodectus",
    "malware",
    "phishing",
    "stealer"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://webipanalyzer.com/GoogleAuthSetup.exe"
      },
      {
        "id": "",
        "name": "https://spikeliftall.com/live/"
      },
      {
        "id": "",
        "name": "https://godfaetret.com/live/"
      },
      {
        "id": "",
        "name": "https://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d"
      },
      {
        "id": "",
        "name": "spikeliftall.com"
      },
      {
        "id": "",
        "name": "webipanalyzer.com"
      },
      {
        "id": "",
        "name": "googleaauthenticator.com"
      },
      {
        "id": "",
        "name": "geotravelsgi.xyz"
      },
      {
        "id": "",
        "name": "godfaetret.com"
      },
      {
        "id": "",
        "name": "c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0"
      },
      {
        "id": "",
        "name": "81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb"
      },
      {
        "id": "",
        "name": "62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830"
      },
      {
        "id": "",
        "name": "532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3"
      },
      {
        "id": "",
        "name": "a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91"
      },
      {
        "id": "",
        "name": "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507"
      }
    ],
    "malware": [
      {
        "id": "b732c72d-6b65-4bd1-ade4-2709a317deed",
        "name": "ACR Stealer",
        "slug": "acr-stealer"
      },
      {
        "id": "d908f85b-23ab-437b-8806-bdda8a362b72",
        "name": "Latrodectus",
        "slug": "latrodectus"
      }
    ],
    "attack_patterns": [
      {
        "id": "535a45a7-819f-46fa-947a-c9eabd27c419",
        "name": "T1555.005"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2017-11882"
      },
      {
        "id": "",
        "name": "CVE-2024-21412"
      },
      {
        "id": "",
        "name": "CVE-2024-21893"
      },
      {
        "id": "",
        "name": "CVE-2024-21887"
      },
      {
        "id": "",
        "name": "CVE-2023-46805"
      },
      {
        "id": "",
        "name": "CVE-2021-44228"
      }
    ]
  },
  "external_refs": [
    "https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/",
    "https://otx.alienvault.com/pulse/66c45c9502fac52d01335ad3"
  ]
}