This new malware shares several characteristics with the ICEDID loader, including the use of encrypted payload techniques and similar network infrastructure. Despite being relatively new, LATRODECTUS facilitates extensive post-breach operations with its lightweight and minimalistic codebase.
Recent trends show an increase in email campaigns deploying this loader. These campaigns use oversized JavaScript for remote MSI installations via WMI or msiexec.exe. Following the collapse of QBOT and the decline of ICEDID, LATRODECTUS and PIKABOT are emerging as streamlined replacements.
LATRODECTUS initially disguises itself as TRUFOS.SYS from Bitdefender, necessitating unpacking. It features a DLL with four exports at the same address and uses arithmetic or bitwise operations on encrypted bytes to obfuscate strings. It performs dynamic import resolution, checking for kernel32.dll and ntdll.dll, while other DLLs undergo wildcard searches and CRC32 validation in the Windows system directory.
The loader employs several anti-analysis techniques, including monitoring for debuggers, validating the running process count against OS version thresholds to detect sandboxes and VMs, checking for WOW64 execution, and verifying valid MAC addresses. It uses a typo-mutex “runnung” and generates hardware IDs or campaign hashes from volume serial numbers.
To establish persistence, the malware sets up a scheduled “Updater” task via Windows COM. It fetches Command and Control (C2) domains, reads existing data files, and encrypts C2 communications using RC4. The loader can execute various commands, including downloading or launching PE files, DLLs, shellcodes, binary updates, and delivering ICEDID.
To evade incident response, LATRODECTUS uses alternate data streams to delete itself. Its core functionalities include gathering information about processes and desktop files, executing code, and communicating with C2 servers.
Source: Cyber Security News
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.