Cyber Security News

Latrodectus Employs New anti-Debugging And Sandbox Evasion Techniques

Latrodectus, a new malware loader, has rapidly evolved since its discovery, potentially replacing IcedID.

It includes a command to download IcedID and has undergone multiple iterations, likely to evade detection. 

Extracting configurations from these versions is crucial for effective threat detection, as the Latrodectus malware has evolved over the past year, with new versions released every few months. 

The malware’s distribution chain has remained consistent, utilizing JavaScript and MSI droppers to deliver the final DLL payload.

The payload itself has undergone changes, with the most recent version featuring four unique exports that share the same address and execute the same core logic.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

VMRay Platform’s dynamic analysis reveals the malicious behavior of Latrodectus

The Latrodectus malware family evolved its decryption methods, transitioning from PRNG-based XOR to rolling XOR and adopting AES-256 CTR.

Additionally, it expanded its command-and-control capabilities with new commands and removed specific self-deletion techniques.

It employs a process count check to evade sandboxes by enumerating the Windows version and terminating if the number of active processes falls below a threshold specific to the OS.

The VMRay Platform counters this, allowing users to adjust the background process count during analysis.

Latrodectus enumerating Windows OS version

The evasion check verifies if the MAC address length is 6 bytes. If not, the program terminates a security measure to prevent unauthorized access, as non-standard MAC addresses could indicate potential threats or vulnerabilities.

The malware checks if it’s being debugged by examining the PEB’s BeingDebugged flag and if it’s running on WOW64, and the check might be to detect emulation scenarios.

Checking the running process against IsWow64Process

Latrodectus initially used a PRNG for string encryption but later switched to a rolling XOR method.

Currently, it employs AES-256 with a hardcoded key and variable IV. Encrypted strings are stored in the .data section with length and IV information preceding the encrypted data.

It resolves DLLs and APIs using CRC32 checksums by comparing filenames and function exports with hardcoded values. The open-source tool HashDB can assist in reversing these hashes.

CRC32-based API hashing in Latrodectus

By copying itself to the %APPDATA% folder with a unique filename based on the hardware ID, it then uses COM to create a scheduled task that runs the malware whenever the user logs on.

It also uses a hardcoded mutex to prevent re-infection and generates unique group IDs for each version, which IDs are used to create an FNV1a hash that can be brute-forced to determine the campaign name.

A script was created to generate a massive wordlist and iterate through it to find the matching hash.

Command handler IDs for more functionalities

According to VMray, Latrodectus is a new malware loader that uses a unique hardware ID generation based on volume serial number and a hardcoded constant, which can self-delete using a technique observed in DarkSide and other malware. 

It communicates with the C2 server using a specific User Agent string and sends RC4 encrypted data with various parameters. The C2 server can send commands to the infected host to perform various malicious activities.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

44 minutes ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

1 hour ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

1 hour ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago