Latrodectus Malware
Overview:
The Latrodectus malware, a sophisticated and adaptable threat in the cyber landscape, has been actively distributed via email phishing campaigns since at least late November 2023. Emerging as a potential successor to the IcedID loader, it has shown significant capabilities in evasion and payload delivery.
Distribution and Tactics:
The malware is distributed through deceptive phishing strategies, utilizing legal threats and copyright infringement notices. It's linked to Initial Access Brokers, particularly TA577 (aka Water Curupira) and TA578, showcasing a strategic approach to compromise.
Technical Analysis and Capabilities:
Latrodectus is known for its sandbox evasion capabilities and the execution of arbitrary commands post-compromise. It validates the execution environment meticulously, including system version checks and verifying the presence of a valid MAC address.
Indicators of Compromise (IoCs):
Hashes:
LNK, DLL, and JavaScript Payload SHA256 including:
db03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77
e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7
bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241
97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2
f9c69e79e7799df31d6516df70148d7832b121d330beebe52cff6606f0724c62
d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec
d98cd810d568f338f16c4637e8a9cb01ff69ee1967f4cfc004de3f283d61ba81
47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78
bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241
5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273
10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a
781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491
aa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119
0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e
0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0
77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017
e7ff6a7ac5bfb0bb29547d413591abc7628c7d5576a3b43f6d8e5d95769e553a
dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e
378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05
edeacd49aff3cfea35d593e455f7caca35ac877ad6dc19054458d41021e0e13a
9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec
9a8847168fa869331faf08db71690f24e567c5cdf1f01cc5e2a8d08c93d282c9
856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea
88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef
97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492
88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef
97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492
a189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22
aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c
aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c
090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd3e9429446
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f
3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567
6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea
71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc
IP Addresses
77[.]91[.]73[.]187:443
74[.]119[.]193[.]200:443
URLs
Compromised and malicious domains including:
hxxps://mazdakrichest[.]com/live/
hxxps://riverhasus[.]com/live/
hxxp://162[.]55[.]217[.]30/gRMS/0[.]6395541546258323[.]dat
hxxp://157[.]90[.]166[.]88/O3ZlYNW/0[.]7797109211833805[.]dat
hxxp://128[.]140[.]36[.]37/cQtDIo/0[.]43650426987684443[.]dat
hxxps://peermangoz[.]me/live/
hxxps://aprettopizza[.]world/live/
hxxps://nimeklroboti[.]info/live/
hxxps://frotneels[.]shop/live/
hxxps://hukosafaris[.]com/elearning/f/q/daas-area/chief/index[.]php
hxxps://arsimonopa[.]com/live
hxxps://lemonimonakio[.]com/live
hxxp://superior-coin[.]com/ga/index[.]php
hxxp://superior-coin[.]com/ga/m/6[.]dll
hxxps://fluraresto[.]me/live/
hxxps://mastralakkot[.]live/live/
hxxps://postolwepok[.]tech/live/
hxxps://trasenanoyr[.]best/live/
hxxps://miistoria[.]com/live
hxxps://plwskoret[.]top/live
hxxp://178[.]23[.]190[.]199:80/share/gsm[.]msi
hxxps://grebiunti[.]top/live/
hxxp://5[.]252[.]21[.]207@80/share/escape[.]msi
hxxps://zumkoshapsret[.]com/live/
hxxps://jertacco[.]com/live/
hxxp://5[.]252[.]21[.]207/share/escape[.]msi
hxxp://95[.]164[.]3[.]171/share/cisa[.]msi
hxxps://scifimond[.]com/live/
hxxps://aytobusesre[.]com/live/
4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794
hxxps://popfealt[.]one/live/
hxxps://ginzbargatey[.]tech/live/
hxxps://minndarespo[.]icu/live/
hxxps://drifajizo[.]fun/live/
hxxps://scifimond[.]com/live/
hxxps://minndarespo[.]icu/live/
hxxp://sokingscrosshotel[.]com/share/upd[.]msi
hxxps://titnovacrion[.]top/live/
hxxps://sluitionsbad[.]tech/live/
Website Sources for More Information:
- The Hacker News provides insights into the emergence of Latrodectus and its capabilities. For detailed analysis, visit The Hacker News.
- Team Cymru offers a deep dive into the Latrodectus malware, emphasizing its potential impact. Learn more at Team Cymru.
- Infosecurity Magazine links Latrodectus to previous malware families like IcedID, providing context for its development. Additional information can be found at Infosecurity Magazine.
- Proofpoint shares an extensive analysis on Latrodectus, detailing its behavior and threat vectors. For more in-depth information, visit Proofpoint.
Prevention and Mitigation:
Given the sophistication of Latrodectus, organizations should enhance their cybersecurity posture through robust monitoring, phishing awareness training, and the deployment of advanced threat detection solutions.
Conclusion:
Latrodectus represents a significant threat within the cybersecurity domain, necessitating informed and proactive measures to mitigate its impact. The provided IoCs and sources offer critical tools and knowledge for cybersecurity teams to address this evolving challenge effectively.