Recently, there was an instance of brand impersonation that involved a fraudulent advertisement for Authenticator that featured a fake employee from Google.
The ad, while appearing legitimate due to Google’s verification, redirected users through multiple intermediary domains controlled by the attacker before landing on a malicious Authenticator clone, highlighting the need for robust verification processes to prevent such attacks.
A fraudulent website, chromeweb-authenticators[.]com, was rapidly deployed to host a malicious payload. The website’s domain was registered on the same day the associated advertisement appeared, suggesting a coordinated attack.
The signed payload, likely a malicious application, was hosted on GitHub for distribution, which indicates a potential supply chain attack vector and highlights the need for robust domain monitoring and code signing verification.
The attackers leveraged a legitimate platform, GitHub, to distribute their malicious payload, emphasizing the importance of secure software development practices and supply chain integrity.
The rapid deployment of the fraudulent website and the simultaneous appearance of the advertisement underscore the need for proactive threat intelligence and incident response capabilities.
The website’s source code includes a direct function to download Authenticator.exe from a GitHub repository. This code segment contains comments written in Russian, indicating the potential authorship or involvement of a Russian-speaking individual in the development or deployment of the executable.
The presence of this code explicitly demonstrates the website’s capability to acquire Authenticator.exe from the specified GitHub location.
A threat actor leveraged GitHub’s reputation as a trusted cloud platform to host malicious software. Under the alias authe-gogle, they created the authgg repository containing Authenticator.exe, which exploits GitHub’s open nature, allowing anyone to upload files, to distribute malware bypassing conventional security measures.
The file under examination contains a valid digital signature attributed to Songyuan Meiying Electronic Products Co., Ltd., which was affixed a single day before the present analysis commenced.
According to the Malware Bytes, the signature’s continued validity suggests that the file’s integrity has remained intact since its signing, implying no unauthorized modifications to its content.
DeerStealer, a malicious software, steals personal data and exfiltrates it to a command-and-control server hosted at vaniloin.fun. Threat actors employ Google ad fraud to lure victims to phishing and malware sites.
By impersonating Google, attackers successfully distributed DeerStealer disguised as Google Authenticator, underscoring the importance of verifying ad authenticity and downloading software only from official sources.
