Full Report
Latrodectus is a versatile malware family that infiltrate systems, steal sensitive data, and evades detection. Learn more from Wazuh about Latrodectus malware and how to defend against it using the open-source XDR. [...]
Analysis Summary
# Tool/Technique: Latrodectus
## Overview
Latrodectus is a versatile and aggressive malware family, named after the black widow spider genus, designed to infiltrate systems, steal sensitive data, and evade detection. It functions as a modular successor to IcedID malware, utilized by threat actors in campaigns targeting corporate networks and financial institutions for data exfiltration and potential ransomware operations.
## Technical Details
- Type: Malware family
- Platform: Windows (implied by use of Windows APIs like kernel32.dll, ntdll.dll, scheduled tasks)
- Capabilities: Initial access via fileless injection, dynamic API resolution, code obfuscation, persistence via scheduled tasks, environment evasion (sandbox/VM check), C2 communication over HTTPS, selective data theft, modular payload expansion.
- First Seen: Late 2023
## MITRE ATT&CK Mapping
*Note: Mappings are derived from described behaviors.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Implied via Scheduled Tasks)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- T1497 - Virtualization/Sandbox Evasion
- **TA0008 - Lateral Movement** (Implied by network scanning module potential)
- **TA0009 - Collection**
- T1119 - Automated Collection (via scanning for specific file types/credentials)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTPS)
## Functionality
### Core Capabilities
- **Initial Access:** Achieved via phishing emails; malware executes by injecting malicious scripts directly into memory (fileless technique).
- **Persistence:** Establishes persistence by creating hidden scheduled tasks (e.g., `C:\Windows\System32\Tasks\system_update`).
- **Data Theft:** Selectively scans for and exfiltrates valuable data, such as browser credentials and sensitive identification files, minimizing transfer size.
- **C2 Communication:** Communicates securely using encrypted HTTPS POST requests, sending system details including a Bot ID derived from the system serial number.
### Advanced Features
- **Dynamic API Resolution:** Resolves Windows API functions at runtime by hashing function names (e.g., from `kernel32.dll`, `ntdll.dll`) and using CRC32 checksums to locate them via the Process Environment Block (PEB). This circumvents static analysis.
- **Obfuscation and Packing:** Employs packing to compress the payload and encrypts strings. Recent variants use a simplified XOR-based routine for string decryption.
- **Environment Evasion:** Checks for sandboxes/VMs by examining hardware attributes (e.g., using `GetAdaptersInfo()` from `iphlpapi.dll` to check for valid MAC addresses) and process counts (requiring >75 processes on Windows 10).
- **Mutex Usage:** Creates a mutex named "runnung" to prevent duplicate execution on the same host.
- **Modular Expansion:** Acts as a downloader; C2 instructions can trigger the download of additional modules for advanced functions like keylogging or network scanning.
## Indicators of Compromise
- File Hashes: [Not specified in source]
- File Names: [Not specified in source, but places payload in `%AppData%`]
- Registry Keys: [Not specified in source, persistence relies on Scheduled Tasks]
- Network Indicators: Encrypted HTTPS POST requests to rotating, dynamically decrypted domains.
- Behavioral Indicators:
- Memory injection/fileless execution following email document interaction.
- Runtime resolution of Windows API calls via hashing/CRC32 checks within the PEB.
- Creation of scheduled tasks in `C:\Windows\System32\Tasks\` named like `system_update`.
- Creation of mutex named "runnung".
- System checks for low process counts or invalid/missing MAC addresses.
## Associated Threat Actors
- TA577
- TA578 (Threat actors previously known for distributing IcedID malware)
## Detection Methods
- Signature-based detection: Detection of known cryptographic routines or import patterns.
- Behavioral detection: Monitoring for memory injection, dynamic API resolution attempts, unusual process execution leading to scheduled task creation, and environment checks (process count, MAC address inquiries).
- YARA rules: [Not specified in source]
## Mitigation Strategies
1. **Phishing Awareness Training:** Train users to recognize and avoid suspicious emails and social engineering tactics.
2. **Strengthen Endpoint Security:** Deploy advanced anti-malware solutions capable of behavioral monitoring for fileless attacks and memory anomalies.
3. **Network Segmentation:** Isolate critical systems to limit lateral movement and contain breaches.
4. **Regular Backups:** Maintain secure, isolated backups to recover from potential ransomware activities.
5. **Patch Management:** Ensure all software is regularly updated to close exploitable vulnerabilities.
## Related Tools/Techniques
- IcedID (Latrodectus is described as its successor)