Latrodectus, a loader malware, was affected by Operation Endgame which shut down several botnets and disrupted infrastructure; Latrodectus’ operations overlapped with IcedID. This article provides a technical analysis of Latrodectus, its persistence, C2 communications, and capabilities up until the Operation Endgame disruption. Hashtags: #Latrodectus #OperationEndgame #IcedID #TA577 #TA578 #Pikabot #Smokeloader #Bumblebee #Trickbot #Bitsight
Keypoints
- Operation Endgame (May 2024) disrupted multiple botnets and caused Latrodectus infrastructure to go offline, with overlap noted between Latrodectus and IcedID.
- Latrodectus is a loader distributed via email spam by actors TA577 and TA578, capable of downloading and executing additional payloads and modules.
- Anti-analysis features include sandbox and debugger checks to abort if running in containment.
- Latrodectus uses HTTPS POST requests to register with C2 servers and receive commands, with beacon data RC4-encrypted and base64-encoded.
- Persistence is achieved by moving to Appdata and creating a Windows scheduled task (Updater) via COM to run at logon.
- The malware conducts reconnaissance and credential collection (desktop filenames, running processes, sysinfo) and uses beacon beacons to carry this data back to C2.
MITRE Techniques
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis: ‘Upon starting, Latrodectus ensures that it is not running in a contained environment like a sandbox.’
- [T1057] Process Discovery – Check for other instances of itself to avoid infecting the same machine twice: ‘checks for other instances of itself to avoid infecting the same machine twice.’
- [T1071.001] Web Protocols – C2 over HTTPS: ‘Latrodectus uses POST requests over HTTPS to register itself with the C2 servers and receive additional instructions and commands.’
- [T1027.001] Obfuscated/Compressed Data – RC4 encryption with base64 encoding for beacon data: ‘RC4 encryption with the key 12345, base64 encodes it.’
- [T1053.005] Scheduled Task – Persistence via COM-created Updater task to run at every logon: ‘create a scheduled task named Updater, ensuring that the malware runs at every logon.’
- [T1082] System Information Discovery – Recon commands executed and results stored in memory: ‘This command executes a pre-defined list of reconnaissance commands and stores the output of each in an in-memory structure.’
- [T1083] File and Directory Discovery – Collect desktop filenames as part of a desktop links beacon: ‘This command collects the desktop filenames and builds a list as follows: &desklinks=[“filename1”, “filename2”, …].’
Indicators of Compromise
- [File hashes] Latrodectus bot – 5edc39cbd89d3ba70a4737f823933af93f3c182134af8e34e0af9a316afaaca8, 9fad77b6c9968ccf160a20fee17c3ea0d944e91eda9a3ea937027618e2f9e54e and other 2 more hashes
- [RC4 keys] – 12345, eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6, xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8 and 1 more
- [C2 domains] – antyparkov.site, aplihartom.com, appet not listed here (and 29 more domains)
- [Campaign groups] – test, Novik, Olimp, Liniska (and 7+ more groups)
- [Files] – update_data.dat (location under %appdata%), and RC4-encrypted beacon data
Read more: https://www.bitsight.com/blog/latrodectus-are-you-coming-back