Latrodectus Employs New anti-Debugging And Sandbox Evasion Techniques

Latrodectus, a new malware loader, has rapidly evolved since its discovery, potentially replacing IcedID.

It includes a command to download IcedID and has undergone multiple iterations, likely to evade detection. 

Extracting configurations from these versions is crucial for effective threat detection, as the Latrodectus malware has evolved over the past year, with new versions released every few months. 

The malware’s distribution chain has remained consistent, utilizing JavaScript and MSI droppers to deliver the final DLL payload.

The payload itself has undergone changes, with the most recent version featuring four unique exports that share the same address and execute the same core logic.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

The Latrodectus malware family evolved its decryption methods, transitioning from PRNG-based XOR to rolling XOR and adopting AES-256 CTR.

Additionally, it expanded its command-and-control capabilities with new commands and removed specific self-deletion techniques.

It employs a process count check to evade sandboxes by enumerating the Windows version and terminating if the number of active processes falls below a threshold specific to the OS.

The VMRay Platform counters this, allowing users to adjust the background process count during analysis.

The evasion check verifies if the MAC address length is 6 bytes. If not, the program terminates a security measure to prevent unauthorized access, as non-standard MAC addresses could indicate potential threats or vulnerabilities.

The malware checks if it’s being debugged by examining the PEB’s BeingDebugged flag and if it’s running on WOW64, and the check might be to detect emulation scenarios.

Latrodectus initially used a PRNG for string encryption but later switched to a rolling XOR method.

Currently, it employs AES-256 with a hardcoded key and variable IV. Encrypted strings are stored in the .data section with length and IV information preceding the encrypted data.

It resolves DLLs and APIs using CRC32 checksums by comparing filenames and function exports with hardcoded values. The open-source tool HashDB can assist in reversing these hashes.

By copying itself to the %APPDATA% folder with a unique filename based on the hardware ID, it then uses COM to create a scheduled task that runs the malware whenever the user logs on.

It also uses a hardcoded mutex to prevent re-infection and generates unique group IDs for each version, which IDs are used to create an FNV1a hash that can be brute-forced to determine the campaign name.

A script was created to generate a massive wordlist and iterate through it to find the matching hash.

According to VMray, Latrodectus is a new malware loader that uses a unique hardware ID generation based on volume serial number and a hardcoded constant, which can self-delete using a technique observed in DarkSide and other malware. 

It communicates with the C2 server using a specific User Agent string and sends RC4 encrypted data with various parameters. The C2 server can send commands to the infected host to perform various malicious activities.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!