Fake Google Authenticator Sites Spreading DeerStealer Malware – Researchers Raise Alarm

Researchers from ANY RUN says they have identified a malware distribution campaign dubbed DeerStealer. This DeerStealer leverages deceptive websites masquerading as legitimate Google Authenticator download pages.

They have an initial discoverable website as 

‘‘authentificcatorgoolglte[.]com,’’

this their website resembles the original or authentic Google page ‘‘safety.google/intl/en_my/cybersecurity-advancements,’’  and their intention is to trick users into believing it is a genuine source for the application.

If a user clicks the download button on the fake website, it will trigger or result to two-fold malicious action which is to first transmit the visitor’s IP address and country information to a telegram bot, likely for tracking and potential victim identification, then the second thing it does is that instead of downloading the actual Google Authenticator app, the website we redirect the  user to a malicious file hosted on GitHub at repository ‘‘Github[.]com/ggle24/ggle2.’’

This is said to likely contain the DeerStealer malware itself that is disguised as a legitimate application. Once downloaded and executed, DeerStealer can potentially steal sensitive user data without their knowledge.

The equally shared evidence of some of the malicious attempts:

JavaScript code that sends visitor information to the telegram bot when the file is downloaded