Latrodectus, a brand new malware loader, has quickly developed since its discovery, probably changing IcedID.
It features a command to obtain IcedID and has undergone a number of iterations, prone to evade detection.
Extracting configurations from these variations is essential for efficient menace detection, because the Latrodectus malware has developed over the previous 12 months, with new variations launched each few months.
The malware’s distribution chain has remained constant, using JavaScript and MSI droppers to ship the ultimate DLL payload.
The payload itself has undergone adjustments, with the newest model that includes 4 distinctive exports that share the identical deal with and execute the identical core logic.
Defending Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
The Latrodectus malware household developed its decryption strategies, transitioning from PRNG-based XOR to rolling XOR and adopting AES-256 CTR.
Moreover, it expanded its command-and-control capabilities with new instructions and eliminated particular self-deletion methods.
It employs a course of rely verify to evade sandboxes by enumerating the Home windows model and terminating if the variety of lively processes falls beneath a threshold particular to the OS.
The VMRay Platform counters this, permitting customers to regulate the background course of rely throughout evaluation.
The evasion verify verifies if the MAC deal with size is 6 bytes. If not, this system terminates a safety measure to stop unauthorized entry, as non-standard MAC addresses may point out potential threats or vulnerabilities.
The malware checks if it’s being debugged by analyzing the PEB’s BeingDebugged flag and if it’s operating on WOW64, and the verify is likely to be to detect emulation situations.
Latrodectus initially used a PRNG for string encryption however later switched to a rolling XOR methodology.
At the moment, it employs AES-256 with a hardcoded key and variable IV. Encrypted strings are saved within the .information part with size and IV data previous the encrypted information.
It resolves DLLs and APIs utilizing CRC32 checksums by evaluating filenames and performance exports with hardcoded values. The open-source software HashDB can help in reversing these hashes.
By copying itself to the %APPDATA% folder with a singular filename based mostly on the {hardware} ID, it then makes use of COM to create a scheduled process that runs the malware each time the consumer logs on.
It additionally makes use of a hardcoded mutex to stop re-infection and generates distinctive group IDs for every model, which IDs are used to create an FNV1a hash that may be brute-forced to find out the marketing campaign title.
A script was created to generate an enormous wordlist and iterate by way of it to search out the matching hash.
Based on VMray, Latrodectus is a brand new malware loader that makes use of a singular {hardware} ID technology based mostly on quantity serial quantity and a hardcoded fixed, which may self-delete utilizing a way noticed in DarkSide and different malware.
It communicates with the C2 server utilizing a selected Person Agent string and sends RC4 encrypted information with numerous parameters. The C2 server can ship instructions to the contaminated host to carry out numerous malicious actions.
Run non-public, Actual-time Malware Evaluation in each Home windows & Linux VMs. Get a 14-day free trial with ANY.RUN!