Wednesday, December 25, 2024
HomeCyber Security NewsLatrodectus Employs New anti-Debugging And Sandbox Evasion Techniques

Latrodectus Employs New anti-Debugging And Sandbox Evasion Techniques

Published on

SIEM as a Service

Latrodectus, a new malware loader, has rapidly evolved since its discovery, potentially replacing IcedID.

It includes a command to download IcedID and has undergone multiple iterations, likely to evade detection. 

Extracting configurations from these versions is crucial for effective threat detection, as the Latrodectus malware has evolved over the past year, with new versions released every few months. 

- Advertisement - SIEM as a Service

The malware’s distribution chain has remained consistent, utilizing JavaScript and MSI droppers to deliver the final DLL payload.

The payload itself has undergone changes, with the most recent version featuring four unique exports that share the same address and execute the same core logic.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

VMRay Platform’s dynamic analysis reveals the malicious behavior of Latrodectus
VMRay Platform’s dynamic analysis reveals the malicious behavior of Latrodectus

The Latrodectus malware family evolved its decryption methods, transitioning from PRNG-based XOR to rolling XOR and adopting AES-256 CTR.

Additionally, it expanded its command-and-control capabilities with new commands and removed specific self-deletion techniques.

It employs a process count check to evade sandboxes by enumerating the Windows version and terminating if the number of active processes falls below a threshold specific to the OS.

The VMRay Platform counters this, allowing users to adjust the background process count during analysis.

Latrodectus enumerating Windows OS version
Latrodectus enumerating Windows OS version

The evasion check verifies if the MAC address length is 6 bytes. If not, the program terminates a security measure to prevent unauthorized access, as non-standard MAC addresses could indicate potential threats or vulnerabilities.

The malware checks if it’s being debugged by examining the PEB’s BeingDebugged flag and if it’s running on WOW64, and the check might be to detect emulation scenarios.

Checking the running process against IsWow64Process
Checking the running process against IsWow64Process

Latrodectus initially used a PRNG for string encryption but later switched to a rolling XOR method.

Currently, it employs AES-256 with a hardcoded key and variable IV. Encrypted strings are stored in the .data section with length and IV information preceding the encrypted data.

It resolves DLLs and APIs using CRC32 checksums by comparing filenames and function exports with hardcoded values. The open-source tool HashDB can assist in reversing these hashes.

CRC32-based API hashing in Latrodectus
CRC32-based API hashing in Latrodectus

By copying itself to the %APPDATA% folder with a unique filename based on the hardware ID, it then uses COM to create a scheduled task that runs the malware whenever the user logs on.

It also uses a hardcoded mutex to prevent re-infection and generates unique group IDs for each version, which IDs are used to create an FNV1a hash that can be brute-forced to determine the campaign name.

A script was created to generate a massive wordlist and iterate through it to find the matching hash.

Command handler IDs for more functionalities
Command handler IDs for more functionalities

According to VMray, Latrodectus is a new malware loader that uses a unique hardware ID generation based on volume serial number and a hardcoded constant, which can self-delete using a technique observed in DarkSide and other malware. 

It communicates with the C2 server using a specific User Agent string and sends RC4 encrypted data with various parameters. The C2 server can send commands to the infected host to perform various malicious activities.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...