Latrodectus | |
Type of Malware | Backdoor |
Addittional names | Unidentified 111, LACKWIDOW, IceNova, Lotus |
Date of initial activity | 2023 |
Country of Origin | Russia |
Associated Groups | LUNAR SPIDER, TA577, TA578 |
Motivation | Latrodectus is designed to infiltrate and extract valuable data. It also hasthe objective of downloading payloads and executing arbitrary commands. |
Type of information Stolen | Corporate Data, Login Credentials, Financial Information, Browser Data, Personal Identifiable Information (PII), Communication Data, Cryptocurrencies |
Attack Vectors | Latrodectus is typically delivered as part of multi-stage attacks, which often begin with a phishing email containing a malicious JavaScript file attachment. However, it has also been known to be dropped by other malware, including the DanaBot trojan. |
Targeted System | Windows |
Overview
First discovered in October 2023, LATRODECTUS is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim’s machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.
LATRODECTUS offers a comprehensive range of standard capabilities that threat actors can utilize to deploy further payloads, conducting various activities after initial compromise. The code base isn’t obfuscated and contains only 11 command handlers focused on enumeration and execution.
Since 2023, Latradectus has been extensively used by a variety of threat actors, including advanced persistent threat (APT) groups such as TA578 and TA577, which was previously observed delivering the Qbot malware, a banking trojan family.
The primary functionality of Latrodectus is to receive commands from the attackers and perform them.
Some of the key capabilities of Latrodectus include:
- Getting a list of filenames of files located on the desktop of the infected machine.
- Listing all the processes currently running on the device.
- Gathering and transmitting additional system information about the endpoint, such as the OS version and hardware specs.
- Launching of executable files to install malware or to perform other malicious actions.
- Detonating dynamic link library (DLL) files.
- Using Windows command prompt to execute commands.
Targets
Web Browsers, Cryptocurrency Wallets, Messaging Platforms, Corporate and Personal Systems, Financial Data.
How they operate
A typical Latrodectus infection chain begins with a JavaScript file that downloads a malicious .msi file, leading to the deployment of the final payload on the system. The malware employs obfuscation techniques, such as encrypting strings, to hinder analysis by researchers. It communicates with its command and control (C2) server via HTTPS, with both requests and responses encrypted using RC4 and base64 encoding.
Latrodectus has a built-in sandbox detection mechanism that checks the number of active processes on the device and the presence of a MAC address.
Malware Initialization
The malware starts by resolving bulk APIs for various functions. Once all functions are resolved to their global pointers, the malware ensures it is running in a suitable environment by performing virtualization checks. It checks the host for the following features, as their absence generally indicates the sample is being run in a sandbox:
If Windows 10 or newer, at least 75 running processes.
If earlier than Windows 10, at least 50 running processes.
A 64-bit application running on a 64-bit host.
A valid MAC address.
With all checks passed, the malware initializes variables for the campaign, including the current user’s username, a handle to its own file, a handle to the current process, and the campaign ID. The campaign ID (a string of letters) is hashed via FNV-1a to create the numeric campaign ID, which is included in the communications protocol.
Latrodectus generates bot IDs for each unique host on which the malware is installed. Like IcedID, the bot ID is generated via the host’s serial ID. This serial is then passed to the bot ID creation function, which multiplies the serial by a hardcoded constant, returns the result, and updates the serial to generate the next DWORD of the bot ID.
Before communicating, the malware ensures it’s running from the designated location in %AppData%, derived from the bot ID. If not, it copies itself to the new location, starts the new process, and shuts down the current process.
Once the malware is running from its designated location or has restarted in the new location, it creates a thread to initiate the communications component.
Malware Communication
Latrodectus, like IcedID, sends registration information in a POST request where the fields are concatenated HTTP parameters. This string is RC4 encrypted with the key “12345”, base64 encoded, and sent to the C2 in the HTTP body.
If the bot is coming from an IP that is not blocklisted and passes all other filtering, a response will be returned. When decoded and decrypted with the global key “12345”, this response contains a list of commands for the first command handler to interpret.
The response is parsed by major keywords. The “URLs” keyword replaces the C2s within the sample with the three listed in the command. When “COMMAND” is processed, it triggers a second layer command handler. The handler checks that the token after COMMAND is one of the expected command IDs. These commands support a feature also found in IcedID. They check for the existence of “front” in the string to load the sysinfo shellcode, replacing it with the currently active C2, appended with “/files/”.
Significant Malware Campaigns
- Researchers have identified nearly a dozen campaigns delivering Latrodectus, beginning in February 2024. The malware is used by actors assessed to be initial access brokers (IABs).
