Latrodectus uses a downloader/backdoor named MeDExt.dll to control compromised hosts and deploy payloads, while impersonating AhnLab’s MeD Engine Extension to avoid detection. The analysis maps the malware to phishing-based initial access, a downloader/backdoor for execution, Windows COM-based scheduled tasks for persistence, and web-based C2 activity across multiple domains/IPs, underscoring the need for ongoing network monitoring and analysis.
#Latrodectus #MeDExt.dll #AhnLabSmartDefense #BruteRatelC4 #Phishing
#Latrodectus #MeDExt.dll #AhnLabSmartDefense #BruteRatelC4 #Phishing
Keypoints
- Identified a C2 server at IP 103.144.139.]189 as part of Latrodectus infrastructure.
- MeDExt.dll is a downloader that functions as a backdoor for remote command execution.
- Common entry points are phishing campaigns and malicious ads.
- The DLL mimics the legitimate AhnLab MeD Engine Extension, enhancing stealth.
- Communication with C2 involves multiple domains and IP addresses.
- Malware uses Windows COM to achieve persistence via scheduled tasks.
- Defense requires continuous monitoring and detailed network analysis.
MITRE Techniques
- [T1566.001] Phishing – Phishing campaigns likely serve as entry points for Latrodectus malware. “Phishing campaigns likely serve as entry points for Latrodectus malware.”
- [T1105] Ingress Tool Transfer – MeDExt.dll acts as a downloader and backdoor. “MeDExt.dll acts as a downloader and backdoor.”
- [T1053.005] Scheduled Task – Windows COM to set scheduled tasks for persistence. “Windows COM to set scheduled tasks for persistence.”
- [T1071.001] Web Protocols – Communicates with multiple C2 domains and IP addresses. “Communicates with multiple C2 domains and IP addresses.”
- [T1036] Masquerading – Spoofing a well-known anti-virus vendor increases stealth and bypassing security measures. “Spoofing a well-known anti-virus vendor increases the malware’s stealth and the likelihood of bypassing security measures.”
Indicators of Compromise
- [IP Address] initial C2 and related infrastructure – 103.144.139.]189:443, 188.114.97.]7:443, 84.32.41.]12:443, and 103.144.139.]182:443, 45.129.199.]25:443
- [Domain] associated C2/domains – riscoarchez[.]com, stripplasst[.]com, coolarition[.]com, spikeliftall[.]com, worlpquano[.]com
- [File Name / Hash] MeDExt.dll – 23546ec67474ed6788a14c9410f3fc458b5c5ff8bd13885100fb4f3e930a30bf
- [File Name / Hash] GoogleAuthSetup.ex – 62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830
- [File Name / Hash] confrontation_d46a184c.exe – a459ce4bfb5d649410231bd4776c194b0891c8c5328bafc22184fe3111c0b3e7
Read more: https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims