Warning, beware! DeerStealer infostyler is distributed under the guise of Google Authenticator.

Andrey Plat
3 min readAug 8, 2024

--

Google has fallen victim to its own advertising platform, Malwarebytes researchers say. The point is that attackers are creating ads promoting the fake Google Authenticator application, under the guise of which they are distributing the DeerStealer malware.

Experts say that attackers still manage to place ads in Google’s search results, with ads supposedly linked to legitimate domains, which creates a false sense of trust among users. For example, in a new malware campaign, attackers create ads that promote Google Authenticator when users search for the software on Google.

Most convincing are malicious ads that use google.com and https://www.google.com as URLs, which clearly shouldn’t be the case if the ads are created by a third-party organization.

When clicking on the fake ad, the visitor goes through a series of redirects and eventually arrives at the chromeweb-authenticators.com landing page, which pretends to be a genuine Google portal.

ANY.RUN researchers, who specialize in malware analysis, also followed the campaign and shared additional data about the hackers’ webpages. According to the analysts, the attackers used domains with similar names, such as authenticcator-desktop[.]com, chromstore-authenticificator[.]com and authenticator-gogle[.]com.

Clicking on the Download Authenticator button downloads a signed executable named Authenticator.exe (VirusTotal) hosted on GitHub. The repository where the malware is hosted is called authgg and its owner is authe-gogle.

The malware sample downloaded by Malwarebytes appeared to be signed by Songyuan Meiying Electronic Products Co., Ltd. the day before the download, while ANY.RUN specialists received a payload signed by Reedcode Ltd.

A valid signature gives the file trust in Windows, allows it to bypass security solutions and run on the victim’s device without warning.

As a result, the DeerStealer malware is deployed on the user’s system, stealing credentials, cookies and other information stored in the browser.

Researchers note that they have already encountered this effective URL masking strategy in other malware campaigns, including those related to KeePass, the Arc browser, YouTube and Amazon. However, Google continues to “overlook” such issues.

Malwarebytes writes that Google verifies the identity of the advertiser when doing so, demonstrating another weakness in the IT giant’s advertising platform.

Bleeping Computer reported that Google has now already blocked the fake advertiser reported by Malwarebytes.

When journalists asked the company’s representatives how the attackers continue to post malicious ads and pretend to be legitimate companies, Google said that the attackers evade detection by creating thousands of accounts, using text manipulation and cloaking to show reviewers and automated verification systems completely different sites than what ordinary users end up seeing.

Special to @BrainsHasking.

Want to learn more useful information subscribe to the legendary channel https://t.me/BrainsHacking.

BrainsHacking is — Security | OSINT | Software | Bots | Neural Networks and Artificial Intelligence | Hacking | Hacking | Hacks.

--

--

Andrey Plat
Andrey Plat

Written by Andrey Plat

Blockchain projects, promotion and development. Open source intelligence (OSINT). Non-standard tasks, with non-standard execution.

No responses yet