Recently, cybercriminals have stepped up their game, using familiar names like Microsoft Azure and Cloudflare to trick unsuspecting users. These phishing emails appear legitimate, making it tough for regular email filters to spot the danger.
Meet Latrodectus, also known as Unidentified 111 and IceNova. This Windows malware downloader has been spreading rapidly, catching the attention of Walmart's security team, as well as analysts at ProofPoint and Team Cymru. Latrodectus operates as a backdoor, silently infiltrating systems and downloading extra EXE and DLL payloads or carrying out commands without detection.
Experts have been busy analysing the distribution channels and infrastructure of Latrodectus, and their findings suggest a connection to the developers behind the widespread IcedID modular malware loader.
While it's uncertain whether there are plans to replace IcedID with Latrodectus, it's evident that this newer threat is gaining momentum. Cybercriminals are increasingly deploying Latrodectus in phishing schemes and spamming contact forms to infiltrate corporate networks.
Leading security researchers like ProxyLife and the Cryptolaemus group have been diligently tracking Latrodectus's tactics. Their observations reveal a range of strategies, from tempting PDF lures to clever themes. In fact, the most recent campaign even employed a counterfeit Cloudflare captcha to slip past security defences.
The Threat Begins with an Email
Latrodectus has been spotted in reply-chain phishing emails. Cybercriminals hijack existing email threads, replying with links to malware or dangerous attachments. These malicious campaigns employ PDF attachments or embedded URLs as the initial bait, setting off a chain of events that culminate in the installation of Latrodectus malware.
Be wary of seemingly innocuous PDF attachments with names like '04-25-Inv-Doc-339.pdf,' which claim to be documents hosted in the Microsoft Azure cloud. These files require downloading before viewing, but clicking on the 'Download Document' button leads to a deceptive 'Cloudflare security check.' This fake captcha, disguised as a simple maths question, aims to outsmart email security scanners and sandboxes, ensuring that only legitimate users proceed.
Once the correct answer is entered, a JavaScript file masquerading as a document ('Document_i79_13b364058-83054409r0449-8089z4.js') is automatically downloaded. This JavaScript is heavily obfuscated, concealing a hidden function that extracts text from specific comments and then executes the script to download an MSI from a hardcoded URL.
Upon installation, the MSI drops a DLL file named 'Update _b419643a.dll' in the %AppData%\Custom_update folder. This DLL, known as the Latrodectus malware, operates silently in the background, awaiting further instructions or payloads for installation.
To Sum Up
Latrodectus malware infections pose a serious threat as they serve as gateways for other malicious software and provide initial entry points into corporate networks, potentially resulting in catastrophic cyber attacks.
There have been observations of Latrodectus dropping the Lumma information-stealer and Danabot. However, given Latrodectus's association with IcedID, these incidents could pave the way for a broader spectrum of malware in the future, including notorious threats like Cobalt Strike. Additionally, there's a possibility of collaborations with ransomware groups, amplifying the danger.
Should your device fall victim to Latrodectus, swift action is imperative. Disconnect the affected system from the network immediately and conduct a thorough evaluation for any suspicious activity across your network.
