Latrodectus Malware: A New Threat Disguised as Legitimate Services - Cyber and Fraud Centre

A potent malware strain known as Latrodectus has emerged as a dangerous threat for individuals and businesses alike. This malware is typically spread through phishing campaigns and has recently begun using the guise of trusted brands like Microsoft Azure and Cloudflare to trick victims.

What is Latrodectus?

Latrodectus (also known as Unidentified 111 and IceNova) is a Windows-based malware downloader. Think of it as a gateway program used by cybercriminals to deploy further malicious software onto infected systems. Researchers believe Latrodectus is operated by the same group behind the infamous IcedID malware, suggesting the potential for severe consequences if an infection succeeds.

The Attack Unfolds

Initial Lure: The attack often begins with a phishing email designed to appear as part of an ongoing conversation. This reply-chain technique enhances the message’s perceived legitimacy. The email may contain a PDF attachment, or a link disguised as a Microsoft Azure document download.

***Latrodectus phishing email***
Source: BleepingComputer

**PDF document pretending to be hosted in Microsoft Azure Cloud**
*Source: BleepingComputer*

Fake Security Check: Clicking on the PDF or link leads to a fraudulent Cloudflare security check page, including a simple math problem. This trick helps the attack evade detection by automated email security scanners.

**Solving a fake Cloudflare captcha to download payload**
*Source: BleepingComputer*

Malware Delivery: Upon solving the math question (or the check timing out), the attack downloads a disguised JavaScript file. This file launches a hidden function that, in turn, downloads and installs a malicious MSI package.

**Deobfuscated script that downloads MSI file**
*Source: BleepingComputer*

Execution: The MSI installer drops the Latrodectus malware (a DLL file) into a hidden system folder. From here, the malware operates silently, awaiting further instructions from its controllers.

**RunDLL32 used to launch Latrodectus DLL**
*Source: BleepingComputer*

The Consequences

Latrodectus infections are serious. Their primary purpose is to create a backdoor for cybercriminals to install additional malware. This has been observed to include:

Information-Stealing Malware: Software designed to steal sensitive data like login credentials, financial information, and business data.
Trojan Programs: Malware that facilitates remote access control, potentially giving attackers full access to your system.

These attacks can have far-reaching consequences for businesses, leading to data breaches, network compromises, and even partnerships with ransomware gangs.

How to Protect Yourself

Email Scrutiny: Be highly sceptical of unsolicited emails, especially those arriving as part of an apparent email chain. Double-check email addresses and scrutinise links or attachments before interacting.
Software Verification: If uncertain about a document’s source, contact the purported sender via alternative channels (e.g., phone) to verify its legitimacy.
System Updates: Maintain up-to-date operating systems and applications. Software patches often address known vulnerabilities that malware like Latrodectus exploits.
Robust Security Solutions: Invest in endpoint security solutions with advanced threat detection and real-time behavioural analysis.
User Education: Upskill your employees to recognise common phishing tactics and the importance of reporting suspicious activity.

Latrodectus malware highlights the relentless innovation of cybercriminals. These attacks are becoming increasingly sophisticated, abusing respected brands to disarm potential victims.

01.05.24

Threat Intelligence Alerts