May 20, 2024 at 02:30AM
Cybersecurity researchers have observed a surge in email phishing campaigns delivering Latrodectus, a new malware believed to be the successor to IcedID. The malware has advanced capabilities including execution, self-deletion, and persistence on Windows. Social engineering campaigns are also using updated techniques to propagate various malware loaders.
Summary of Meeting Notes:
1. Increase in email phishing campaigns delivering Latrodectus malware, successor to IcedID, with capabilities to deploy additional payloads and conduct various post-exploitation activities.
2. Latrodectus utilizes source code obfuscation, anti-analysis checks, and sets up persistence on Windows hosts.
3. New commands added to Latrodectus malware include enumerating files in the desktop directory and retrieving the entire running process ancestry.
4. Possible replacement of IcedID by Latrodectus being actively developed, as researchers detect some development connection or working arrangement between the two.
5. Phishing campaign using invoice-themed email lures to deliver DarkGate malware via a PowerShell script.
6. Updated version of phishing-as-a-service (PhaaS) platform called Tycoon used to harvest Microsoft 365 and Gmail session cookies and bypass multi-factor authentication (MFA) protections.
7. Social engineering campaigns impersonating Calendly and Rufus to propagate D3F@ck Loader malware, ultimately dropping Raccoon Stealer and DanaBot.
8. Emergence of new stealer malware families like Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer, with Remcos remote access trojan (RAT) using PrivateLoader module to augment its capabilities.
9. Notable advancements in malware-as-a-service (MaaS) tactics, utilization of Extended Validation certificates, and the evolving nature of cyber threats.
Please let me know if you need any additional information or specific action items derived from the meeting notes.