Latrodectus Malware

It is reported that a malware campaign distributing sophisticated malware, named as Latrodectus (aka BlackWidow), is currently active. This malware acts as loader and backdoor which is often attributed to the same threat actor behind IcedID (aka LunarSpider) malware campaign. It is typically distributed via phishing emails targeting various sectors. Its modular design supports stealth, persistence, and the ability to download and execute additional payloads such as DLLs, EXEs, stealer malware etc.

Infection Mechanism

The primary infection technique is through malicious emails impersonate services like DocuSign containing HTML or PDF attachments embedded with phishing URL.

Fig-1: Infection chain (Source: Forcepoint)

The pdf consists of compromised domain that will further leads through URL shorteners (e.g., cutt.ly) and compromised/ suspicious domains before fetching a malicious obfuscated JavaScript loader hosted via Google Cloud Storage.

Fig.2: Initial Phishing document (Source: Forcepoint)

The script contains numerous junk comments (such as “//” and “////”) to obscure the actual code, and spawns ActiveXObject("WindowsInstaller.Installer") to initiate the download of an MSI installer. Later on, MSI drops a 64-bit DLL into %APPDATA%, then runs it via rundll32.exe. In HTML variant, PowerShell is used to launch the DLL directly. Latrodectus sets up a backdoor that allows attackers to remotely control the system, execute commands, download additional payloads, and exfiltrate sensitive data. For its evasion technique, it can detect if it running in Sandbox environment and uses RC4 encryption over HTTP-based C2 communication (typically port 8041).

Indicator of Compromise:

URLs:

• hxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW
• hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW
• hxxps://digitalpinnaclepub[.]com/?3

C2 Domain:

• topguningit[.]com
• lofiramegi[.]com
• carflotyup[.]com
• daringdesigners[.]com
• pros0512[.]com
• prot12-05[.]com
• domtrst455[.]com
• rofleratom[.]com
• tiguanin[.]com
• greshunka[.]com
• bazarunet[.]com
• mazinom[.]com
• leroboy[.]com
• krinzhodom[.]com
• klemanzino[.]net
• rilomenifis[.]com
• isomicrotich[.]com

Hashes:

• 35A990C3BE798108C9D12A47F4A028468EA6095B
• 9361621490915EBB919B79C6101874F03E4E51BC

For more detailed list of IoC, kindly refer the below URLs:

• https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign
• https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
• https://www.logpoint.com/en/blog/emerging-threats/latrodectus-the-wrath-of-black-widow/

Best Practices and Recommendations:

• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
• Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
• It is advised to block office applications from creating executable files.
• Do not download and install applications from untrusted sources (offered via unknown websites/ links on unscrupulous messages). Install applications downloaded from reputed application market only. Users must be aware while clicking on links during web search.
• Prohibit external FTP connections and blacklist downloads of known offensive security tools.
• All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
• Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
• Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
• Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
• Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
• Consider encrypting the confidential data as the ransomware generally targets common file types.
• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

References:

• https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign
• https://www.logpoint.com/en/blog/emerging-threats/latrodectus-the-wrath-of-black-widow/
• https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice