Latrodectus Malware Increasingly Used by Cybercriminals
Summary:
ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes. Researchers note that Latrodectus infections are typically engineered for stealth and persistence, complicating detection and eradication efforts. Successful execution of the malware can lead to the exfiltration of personal data, financial losses due to fraud or extortion, and the compromise of sensitive information.
Security Officer Comments:
Latrodectus is primarily delivered via email phishing attachments, either in PDF or HTML format. Notably these attachments are sent via a compromised email. Emails using the PDF method appear to contain critical DocuSign documents, whereas a ‘failed display’ Word document popup lure is used for the HTML variant. The PDF documents contain a link, which clicked on, redirects the user to a malicious URL, leading to the download of the next-stage payload. In this case, an obfuscated JavaScript file is executed, designed to download a DLL via a MSI installer, further unpacking Latrodectus on the targeted system. As for the HTML method, these attachments request the victim to click on a button that once clicked on executes malicious JavaScript code in HTML and further uses PowerShell to directly install the DLL and unpack Latrodectus.
Suggested Corrections:
Given phishing is the primary distribution vector for malware loaders like Latrodectus, organizations should be on the lookout for emails from unknown senders containing malicious links and attachments. Latrodectus campaigns are also known to use compromised emails to target victims, highlighting the need for users to enable multi-factor authentication where possible. Overall, regular table-top exercises can help increase employee awareness and preparedness to deter potential attacks.
Link(s):
https://www.securityweek.com/latrodectus-malware-increasingly-used-by-cybercriminals/
ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes. Researchers note that Latrodectus infections are typically engineered for stealth and persistence, complicating detection and eradication efforts. Successful execution of the malware can lead to the exfiltration of personal data, financial losses due to fraud or extortion, and the compromise of sensitive information.
Security Officer Comments:
Latrodectus is primarily delivered via email phishing attachments, either in PDF or HTML format. Notably these attachments are sent via a compromised email. Emails using the PDF method appear to contain critical DocuSign documents, whereas a ‘failed display’ Word document popup lure is used for the HTML variant. The PDF documents contain a link, which clicked on, redirects the user to a malicious URL, leading to the download of the next-stage payload. In this case, an obfuscated JavaScript file is executed, designed to download a DLL via a MSI installer, further unpacking Latrodectus on the targeted system. As for the HTML method, these attachments request the victim to click on a button that once clicked on executes malicious JavaScript code in HTML and further uses PowerShell to directly install the DLL and unpack Latrodectus.
Suggested Corrections:
Given phishing is the primary distribution vector for malware loaders like Latrodectus, organizations should be on the lookout for emails from unknown senders containing malicious links and attachments. Latrodectus campaigns are also known to use compromised emails to target victims, highlighting the need for users to enable multi-factor authentication where possible. Overall, regular table-top exercises can help increase employee awareness and preparedness to deter potential attacks.
Link(s):
https://www.securityweek.com/latrodectus-malware-increasingly-used-by-cybercriminals/