Latrodectus Loader
This research examines the distribution mechanisms, C2 traffic patterns, and functionality of Latrodectus loader.
Latrodectus is a loader first identified in October 2023 by researchers at Walmart. Walmart researchers identified a Latrodectus sample while investigating an IcedID campaign. Overlaps between IcedID and Latrodectus include: using the same network infrastructure, similar patterns in C2 traffic, and the DLL exports pointing to the same export function address. Recently, several different threat actors have been observed to use Latrodectus during intrusion campaigns where the primary delivery mechanism has been through email. Researchers at both Proofpoint and Palo Alto Networks’ Unit42 have reported that victims received emails containing links leading to the download and execution of Latrodectus samples.
This blog provides an overview on distribution mechanisms, C2 traffic patterns, and the functionality of Latrodectus with the aim of highlighting core capabilities:
- Obtaining new C2 domains
- Running anti-analysis checks
- Downloading and executing different file types
- Collecting system information
How is it delivered?
Proofpoint’s Threat Research Team observed campaigns from two different threat actors using Latrodectus, TA577 and TA578. While the intrusion attempts by both actors start with email delivery, the intermediary steps taken to download Latrodectus samples differ slightly.
TA577’s Delivery of Latrodectus
Proofpoint identified TA577, an initial access broker that previously used QBot extensively, as using Latrodectus in three separate intrusion campaigns in November 2023. TA577 uses emails to start intrusions by hijacking existing email threads and tricking victims to interact with attachments or embedded links. In one of the campaigns, the actor avoided thread hijacking and began to send emails containing links that downloaded a JavaScript file. The JavaScript file created and executed other scripts that in turn executed a Latrodectus DLL. In another campaign, the JavaScript file directly downloaded and executed Latrodectus instead of creating additional scripts. The group has also experimented with ISO files and LNK files as part of the infection chain.
TA578’s Delivery of Latrodectus
TA578 is a threat actor that has previously used email to deliver malware such as Ursnif, BazaLoader and IcedID. In one of the TA578 campaigns, the threat actor impersonated companies to send threats about copyright infringement. The email contained language encouraging the recipient to access a contained link. The link redirected to a spoofed website for the company the threat actors were masquerading as. In the background, a JavaScript file was downloaded. When the JavaScript file was executed, it used msiexec.exe to execute a MSI that was retrieved from a remote WebDav share.
This sequence of events was also observed by Palo Alto Networks’ Unit 42 which reported that Latrodectus being used to drop Lumma Stealer onto victim devices.
C2 Communication
Latrodectus sends back host information to C2 servers through POST requests where HTTP parameters are appended together. The information includes victim information that is used to uniquely identify the compromised host. The data sent back to the host is encrypted using RC4 and Base64-encoded before being sent to the C2 as part of the HTTP body. Researchers have observed that the RC4 key, 12345, has been reused across different samples.
An example of the HTTP POST requests was shared by Elastic in a recent blog is shown below.
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Host: aytobusesre.com
Content-Length: 256
Cache-Control: no-cache
M1pNDFh7flKrBaDJqAPvJ98BTFDZdSDWDD8o3bMJbpmu0qdYv0FCZ0u6GtKSN0g//WHAS2npR/HDoLtIKBgkLwyrIh/3EJ+UR/0EKhYUzgm9K4DotfExUiX9FBy/HeV7C4PgPDigm55zCU7O9kSADMtviAodjuRBVW3DJ2Pf5+pGH9SG1VI8bdmZg+6GQFpcFTGjdWVcrORkxBjCGq3Eiv2svt3+ZFIN126PcvN95YJ0ie1Puljfs3wqsW455V7
The decoded content of the HTTP POST request is:
counter=0&type=1&guid=249507485CA29F24F77B0F43D7BA&os=6&arch=1&username=user&group=510584660&ver=1.1&up=4&direction=aytobusesre.com&mac=00:0c:24:0e:29:85;&computername=DESKTOP-3C4ILHO&domain=
The table below shows the information sent back to the C2 server.
The value of up is unique for different samples and the exact purpose of this value is unclear at this point.
As shown in Figure 5 below, the C2 responds with a list of commands below.
Proofpoint researchers shared an example of a response issued to an infected machine that included clearing existing C2s, setting new ones, and then collecting information from the device.
E3l9I35LXiOWKYHilDWuJoUOTU3NOyjNGnp3muFUOrabzvFw6FpoOQqdBZmsUV5E7FzXWHKgBafR6PcPckBsIB2vIhb3CZ/QHPoEO1hc0A++PpLQjpRWJkK3EFDxH/R5RYjhInO8hc0jTljC91GMVstjkxgQnuZLGBW6AV/gz4VrNMWUxFUtP4fdg/HKCREbRm+gIHkH/7Jc9Q==
Latrodectus Capabilities
When the C2 server responds with the instruction command, it includes a number which the malware uses to execute the correct command. Each action performed by the malware in response to the C2 response is done through common handlers. The command handlers check the value of response after command to identify the course of action that is taken.
The table below highlights the different commands the malware is capable of handling.
An example of the data collected from an infected hosts desktop is:
counter=0&type=1&guid=249507485CA29F24F77B0F43D7BA&os=6&arch=1&username=user&group=510584660&ver=1.1&up=4&direction=aytobusesre.com&desklinks=["OneDrive.lnk","OneNote.lnk","PowerPoint.lnk","Notepad++.lnk","Excel.lnk","Google Chrome.lnk","Snipping Tool.lnk","Notepad.lnk","Paint.lnk"]
To retrieve the list of running processes, the malware uses the Windows API - CreateToolhelp32Snapshot.
Elastic researchers discovered that the bp.dat file is used to execute the IcedID payload using rundll32.exe.
Dynamic API Resolving
Similar to other malware, Latrodectus samples resolve APIs at runtime. This means that a limited idea of its functionality can only be determined when looking at the imported APIs during static analysis. To resolve additional APIs at runtime, the malware queries the Process Environment Block (PEB) to resolve kernel32.dll and ntdll.dll. To get libraries from user32.dll and wininet.dll, the malware searches for all DLLs in the Windows system directory, gets the filename and then computes the CRC32 checksum value. The malware loads libraries using LoadLibraryW when the checksum value matches a desired hash.
Anti-Analysis Techniques
The sample leverages several anti-analysis techniques to make analysis of the malware more difficult. These techniques include:
- Checking the BeingDebuggedFlag in the PEB
- Checking the number of running processes
- If there are fewer than 75 running processes then the operating system needs to be Windows 10, 11 or Windows Server 2016
- Checking the operating system version
- If there are less than 50 running processes then the operating system can be Windows Server 2003 R2, Windows XP, Windows 2000, Windows 7, Windows 8, or Windows Server 2012/R2
- Checking if the process is running as a 32-bit application on a 64-bit Operating system
- Checking the MAC address of the device
- The sample terminates if a valid MAC address is not found
Conclusion
Latrodectus is a newer loader that has been observed within the threat landscape and leveraged by multiple threat actors. The malware has notable overlaps with IcedID and adopts several anti-analysis techniques which make it difficult to detect and analyse. Latrodectus C2s can send commands over HTTP requests that instruct the malware to perform additional actions such as executing files, collecting system information, and terminating its own processes.
Recommendations
- Continued User Awareness Training
- Latrodectus requires user execution. Continued user awareness training mitigates the risk posed by spam and malvertising by teaching users how these threats work and what to look out for.
- Ensure that security solutions have detections in place for activity that associated with Latrodectus
- Ensure that host based logging solutions such as SIEM and EDR are able to alert on Rundll32 being used to download executables and when Rundll32 is used to initiate connections to public IP addresses.
- Proofpoint shared the following Suricata rules to detect Latrodectus network activity.
- 2048735 ET MALWARE Latrodectus Loader Related Activity (POST)
- 2049231 ET MALWARE Latrodectus Alive Request (GET)
- 2049232 ET MALWARE Latrodectus Alive Response M1
- 2049233 ET MALWARE Latrodectus 404 Response
- 2049700 ET MALWARE Latrodectus Alive Response M2
- 2049701 ET MALWARE Latrodectus Alive Response M3
- 2049702 ET MALWARE Latrodectus Alive Response M4
- 2049703 ET MALWARE Latrodectus Alive Response M5
- 2049704 ET MALWARE Latrodectus Alive Response M6
- 2049705 ET MALWARE Latrodectus Alive Response M7
- 2049706 ET MALWARE Latrodectus Alive Response M8
- 2051602 ET MALWARE Latrodectus Related Activity (POST)
Indicators of Compromise
The table below contains a subset of 250+ Latrodectus network IoCs that have been identified, aggregated, and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat=Latrodectus and is available for export in multiple formats (CSV, STIX 2.1, JSON).
MITRE ATT&CK TTPs
References
- https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
- https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus
- https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39
- https://cyberfraudcentre.com/latrodectus-malware-a-new-threat-disguised-as-legitimate-services