Inside the Latrodectus Malware Campaign

Oct. 21, 2024, 10:54 a.m.

Tags
obfuscation
phishing
icedid
javascript
healthcare
latrodectus
financial
2024-10-21
msi
dll
automotive
activex
rundll32
External References
Description

The Latrodectus malware campaign employs a combination of traditional phishing techniques and innovative payload delivery methods to target financial, automotive, and healthcare sectors. The attack chain begins with compromised emails containing malicious PDF or HTML attachments, which redirect users to download obfuscated JavaScript. This script then downloads and executes an MSI file, dropping a malicious 64-bit DLL in the %appdata% folder. The DLL, disguised with fake NVIDIA version information, unpacks another payload in memory and connects to a command and control server. The campaign utilizes URL shorteners, compromised domains, and well-known storage services to host malicious payloads, demonstrating a sophisticated blend of old and new tactics to evade detection.

Date

Published: Oct. 21, 2024, 10:53 a.m.

Created: Oct. 21, 2024, 10:53 a.m.

Modified: Oct. 21, 2024, 10:54 a.m.

Indicators

617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674

3b86c9516bd5d57758ab976e32af2d7873d7ad0b0e063a49ee13c168f2c1e980

194.54.156.91

https://digitalpinnaclepub.com/?3

https://delview.com/MobileDefault.aspx?reff=https://cutt.ly/seU8MT6t#_fZ0NmW

https://delview.com/MobileDefault.aspx?reff=https://cutt.ly/seU8MT6t#_fZ0NmW”

http://gertioma.top/o.jpg

http://194.54.156.91/dsa.msi

Download all indicators here!

Attack Patterns

Latrodectus

IcedID - S0483

Latrodectus

T1102.002

T1218.011

T1059.001

T1547.001

T1059.007

T1071.001

T1105

T1204

T1140

T1027

T1566

Additional Informations

Automotive

Healthcare

Finance