Latrodectusmalware is now being distributed in phishing campaign using Microsoft Azure andCloudfare. It's concerning to hear about the evolution of malware distributiontactics. Leveraging reputable platforms like Microsoft Azure and Cloudflare notonly lends an air of legitimacy to the phishing campaigns but also posessignificant challenges for email security platforms. This underscores theimportance of not only robust cybersecurity measures but also ongoing vigilanceand adaptation to counter evolving threats. Organizations and individuals muststay updated on the latest cybersecurity developments and employ multi-layeredsecurity approaches to mitigate risks effectively.

Latrodectus(aka Unidentified 111 and Ice Nova) is an increasingly distributed Windowsmalware downloader first discovered byWalmart's security team and later analyzed by Proof Point and TeamCymru that acts as a backdoor, downloading additional EXE and DLLpayloads or executing commands.

                                                                                              Figure1:- EXE and DLL Payload (Source: Shell is coming)

Latrodectuscommunicates with its command-and-control (C2) server, posting encrypted systeminformation and requesting bot downloads. It can detect sandboxed environmentsand awaits instructions from the C2 server. Capabilities include enumeratingfiles and processes, executing binaries, updating the bot, and shutting downprocesses. The attacker infrastructure reveals C2 servers active sinceSeptember 18, 2023, communicating with an upstream Tier 2 server establishedaround August 2023. Latrodectus' connection to Iced ID is evident throughshared backend infrastructure and the use of previously associated jump boxes.Team Cymru predicts Latrodectus will see increased use by financially motivatedthreat actors, particularly those previously distributing Iced ID. Thisassessment underscores the evolving threat landscape and the need for robustcybersecurity measures to counter emerging malware threats.

Affected Platform(s)/Version(s) - Windows OS

Distribution Method - Phishing Campaign

Attack Type - Malware Attack

Attack Source - Malicious Websites Hosting JavaScript Files

Region - Global

Affected Business(s) - Multiple Sectors

Starts with an email

Reply-chain phishing is a particularlyinsidious tactic because it leverages pre-existing trust between parties tospread malware. The use of stolen email exchanges adds an extra layer ofauthenticity, making it more challenging for recipients to discern themalicious intent. Whether it's through PDF attachments or embedded URLs, theend goal remains the same: to compromise systems with Latrodectus malware.

Figure2:- Latrodectus Phishing Email (Source: Bleepingcomputer)

The PDFs will use generic names like'04-25-Inv-Doc-339.pdf' and pretend to be a document hostedin Microsoft Azure cloud, which must first bedownloaded to be viewed.

Figure 3:- PDF document pretending to be hosted inMicrosoft Azure Cloud
(Source: Bleeping Computer)

The"Download Document" button leads unsuspecting users to a deceptivepage masquerading as a "Cloudflare security check," complete with aseemingly innocuous math question. This faux captcha serves a dual purpose: itadds an extra layer of credibility to the malicious scheme while thwartingemail security scanners and sandboxes from easily tracing the attack path,thereby ensuring that the payload reaches only genuine users.

Uponcorrectly solving the math question, the faux Cloudflare captcha initiates theautomatic download of a JavaScript file. Disguised under a guise resemblinglegitimate document nomenclature, such as"Document_i79_13b364058-83054409r0449-8089z4.js," the file appearsbenign to unsuspecting victims. However, this JavaScript file is the conduitthrough which the malware payload infiltrates the user's system, perpetuatingthe malicious campaign.

Figure 4:- Solving a fake Cloudflare captcha todownload payload
(Source: Bleeping Computer)

The downloaded JavaScript script isheavily obfuscated with comments that include a hidden function that extractstext from comments that start with '////' and then executes the script todownload an MSI from a hardcoded URL, as shown in the deobfuscated scriptbelow.

Figure 5:- Deobfuscated script that downloads MSI file
(Source: BleepingComputer)

Installationof the MSI file, a clandestine operation unfolds as it discreetly deposits aDLL file into the %AppData%\Custom_update directory, cunningly labeled as"Update _b419643a.dll." This DLL, uniquely named per installation toobfuscate detection, lies in wait until summoned by rundll32.exe.

Thismethod of deployment and execution operates under the radar, evading routinescrutiny by camouflaging its presence within seemingly innocuous folders andemploying randomized file names. Once activated, this DLL harnesses the powerof rundll32.exe to execute its malicious payload, perpetuating the covertagenda of the malware campaign.

Figure:- RunDLL32 used to launch Latrodectus DLL
(Source: Bleeping Computer)

Onceunleashed, the enigmatic DLL assumes its sinister identity as the Latrodectusmalware, stealthily infiltrating the system's core where it operatessurreptitiously, lying in wait for payloads to deploy or commands to execute.

Withits insidious capabilities, Latrodectus serves as a gateway for subsequentmalware deployments and facilitates unauthorized access to corporate networks.Its presence poses a grave threat, capable of precipitating catastrophicattacks with far-reaching consequences, ranging from data breaches to systemcompromise, thereby underscoring the urgency for robust cybersecurity measuresand vigilant monitoring to thwart its nefarious endeavors.

Summary

Latrodectus,a downloader malware named after the black widow spider, has emerged as asignificant threat in the cybercrime landscape. Initially identified in late2023, it was initially mistaken for a variant of Iced ID but has since provento be a distinct entity.

Technical Details

·       Type: DownloaderMalware

·       DeliveryMethods: Email Phishing Campaigns (suspected)

·       Key Features:
Sandbox Evasion Techniques
Dynamic Code Resolution
Persistence Mechanisms
Command and Control (C2) Infrastructure

·       PotentialPayloads:
Remote Access Trojans (RATs)
Information Stealers
Cryptocurrency Miners

Threat Actors

·       InitialAccess Brokers (IABs) associated with Latrodectus deployments include:

·       TA577 (WaterCurupira)

·       TA578

Impact

Latrodectus poses a serious threat to organizations by:

·       Grantingattackers remote access and control of infected systems.

·       Exfiltratingsensitive data such as credentials and intellectual property.

·       Deployingadditional malware for further attacks.

·       Disruptingoperations through cryptocurrency mining activities.

**Indicators of Compromise (IOCs) (**Note: Replace with specificIOCs when available)

·       Specific filehashes and network indicators associated with Latrodectus are still underinvestigation. Security researchers recommend monitoring threat intelligencefeeds for the latest IOCs.

Mitigation Strategies

·       Implement alayered security approach encompassing:

·       PatchManagement

·       EndpointSecurity Solutions

·       EmployeeSecurity Awareness Training

·       NetworkSegmentation

·       Next-GenerationThreat Detection and Prevention (NGTDP)

Recommendations

·       Stay informedabout the latest malware trends and threats by subscribing to reliable threatintelligence feeds.

·       Conductregular security assessments to identify and address vulnerabilities in yournetwork.

·       Regularlyupdate security software and endpoint protection solutions with the latestdefinitions.