LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

Oct. 31, 2024, 8 p.m.

Description

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The group maintains affiliations with ransomware operators like ALPHV/BlackCat, sharing infrastructure and tools. LUNAR SPIDER's adaptability is evident in their use of over 200 malicious infrastructures across different malware families. Their latest campaign employed obfuscated JavaScript to deliver Brute Ratel C4, establishing persistence and command-and-control communication.

External References

https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus
https://otx.alienvault.com/pulse/67233e94755ae64a04ca4b07
Tags
ransomware
malvertising
seo poisoning
icedid
latrodectus
2024-10-31
brute ratel c4
financial sector
infrastructure sharing

Date

  • Created: Oct. 31, 2024, 8:23 a.m.
  • Published: Oct. 31, 2024, 8:23 a.m.
  • Modified: Oct. 31, 2024, 8 p.m.

Attack Patterns

  • Latrodectus
  • Brute Ratel C4
  • IcedID - S0483
  • LUNAR SPIDER

Additional Informations

  • Finance
  • Russian Federation