Cyber security news for all

More

    Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

    Cybersecurity experts have noted a significant uptick in email phishing assaults commencing in early March 2024, which deliver Latrodectus, a burgeoning malware loader poised to supplant the notorious IcedID malware.

    “These campaigns typically feature a distinct infection sequence involving oversized JavaScript files that exploit WMI’s functionality to call msiexec.exe and install a remotely-hosted MSI file from a WEBDAV share,” explained Daniel Stepanic and Samir Bousseaden from Elastic Security Labs.

    Latrodectus possesses the typical capabilities expected of a malware loader, designed to deploy additional payloads such as QakBot, DarkGate, and PikaBot, enabling threat actors to execute various post-exploitation operations.

    Detailed examination of recent Latrodectus samples reveals a strong emphasis on enumeration and execution, incorporating a self-deletion mechanism to remove active files.

    The malware, which impersonates libraries associated with legitimate software, employs code obfuscation and anti-analysis techniques to thwart execution in debugging or sandboxed environments.

    Latrodectus establishes persistence on Windows systems using scheduled tasks and communicates with a command-and-control (C2) server over HTTPS to receive instructions. These instructions allow it to gather system information, update, restart, and terminate itself, as well as execute shellcode, DLL, and executable files.

    Since its emergence in late 2023, two new commands have been added: the ability to list files in the desktop directory and retrieve the entire process ancestry from the infected machine.

    Although Latrodectus can download and execute IcedID (command ID 18) from the C2 server, Elastic has not observed this behavior in active deployments.

    “There seems to be a development linkage or collaborative effort between IcedID and Latrodectus,” the researchers noted.

    “One theory is that Latrodectus is being actively developed as a replacement for IcedID, and the handler (#18) was incorporated until the developers were confident in Latrodectus’ capabilities.”

    In a related development, Forcepoint has analyzed a phishing campaign that uses invoice-themed email lures to deliver DarkGate malware.

    This attack chain begins with phishing emails masquerading as QuickBooks invoices, prompting recipients to install Java via an embedded link that leads to a malicious Java archive (JAR). The JAR file executes a PowerShell script, which downloads and launches DarkGate via an AutoIT script.

    Social engineering efforts have also employed an updated version of a phishing-as-a-service (PhaaS) platform called Tycoon to harvest Microsoft 365 and Gmail session cookies and circumvent multi-factor authentication (MFA) protections.

    “This new version boasts enhanced detection evasion capabilities, making it even more challenging for security systems to identify and block the kit,” commented Proofpoint. “Significant changes to the kit’s JavaScript and HTML code enhance its stealthiness and efficacy.”

    These improvements include obfuscation techniques to make the source code less comprehensible and dynamic code generation to modify the code each time it runs, thereby evading signature-based detection systems.

    Other social engineering campaigns identified in March 2024 have utilized Google ads impersonating Calendly and Rufus to distribute another malware loader known as D3F@ck Loader. This loader, which surfaced in cybercrime forums in January 2024, ultimately drops Raccoon Stealer and DanaBot.

    “The D3F@ck Loader case demonstrates how malware-as-a-service (MaaS) continues to advance, employing Extended Validation (EV) certificates to circumvent trusted security measures,” observed cybersecurity firm eSentire.

    Additionally, new stealer malware families such as Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer have been identified, alongside the Remcos remote access trojan (RAT), which uses a PrivateLoader module to enhance its capabilities.

    “By installing VB scripts, altering the registry, and configuring services to restart the malware at variable intervals or by control, Remcos can fully infiltrate a system and remain undetected,” reported the SonicWall Capture Labs threat research team.

    Recent Articles

    Related Stories