Hackers use loaders to bypass security measures and run harmful code in a genuine process’s memory themselves.
This makes it possible for malware payloads to be quietly loaded into the system without being discovered by any of the many file execution monitoring security solutions.
Cybersecurity researchers at Elastic Security Labs recently discovered that LATRODECTUS loader is getting popular among threat actors.
LATRODECTUS Replacing ICEDID
The malware loader, “LATRODECTUS” was discovered in October 2023, and it shows strong associations with ICEDID. For instance, they both deliver hidden content using an encrypted payload technique and have the same network infrastructure.
Even though it is a novel family, it brings down big features of post-breach operations through a lightweight, minimalistic codebase.
Lately, there has been an increase in email campaigns delivering LATRODECTUS, which are built on oversized JavaScript for remote MSI installation via WMI or msiexec.exe.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Given the collapse of QBOT and the decline of ICEDID, these two following new loaders are indicated as filling those gaps with more streamlined designs:-
- LATRODECTUS
- PIKABOT
Initially, a sample called LATRODECTUS disguises itself as TRUFOS.SYS from Bitdefender, necessitating unpacking.
It has a DLL with four exports all at the same address, but it uses arithmetic or bitwise operations on encrypted bytes to hide strings as opposed to previously reported PRNG algorithms.
.webp)
In PEB and CRC32 checks of LATRODECTUS imports for kernel32.dll and ntdll.dll are done dynamically while other DLLs go through wildcard searches and CRC32 validation in the Windows system directory.
This evolving obfuscation technique of the loader is manifest by dynamic import resolution.
After resolving imports, LATRODECTUS performs anti-analysis checks – monitoring for debuggers, validating running process count against OS version thresholds to detect sandboxes and VMs, checking for WOW64 execution, and verifying valid MAC addresses, Elastic security said.
It uses a typo-mutex “runnung” and generates hardware IDs or campaign hashes from volume serial numbers. Based on configurations, it drops copies of itself in AppData or other directories using randomized filenames.
LATRODECTUS reads existing data files, fetches C2 domains, and then sets up a scheduled “Updater” task for persistence via Windows COM before executing its main command dispatcher thread.
Different alternate data streams are used by LATRODECTUS to delete itself, which is likely to prevent incident response. It also has the ability to encrypt C2 communications with victims using RC4 and receive commands via URLs, COMMAND and CLEARURL.
The core functionalities include gathering information such as processes and desktop files, executing code in forms such as downloading or launching PE’s, DLLs, or shellcodes, binary updates, and ICEDID delivery.
Similar enumeration, exports, and C2 traffic patterns have been found in its ICEDID component, consequently intimating development connections.
As a support feature for LATRODECTUS, it helps in resetting request counters and randomized beaconing intervals.
For this reason, they put out test runs where payloads were sent between sandboxes using the command dispatcher Flask server.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
%20(1).webp "Cellebrite Tool Cracker Trump shooter’s Samsung Device in just 40 minutes"){kind=small}
