小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中

Threat hunters have discovered a new malware called Latrodectus that has been distributed as part of email phishing campaigns since at least late November 2023.

威胁猎手发现了一种名为Latrodectus的新恶意软件，自2023年11月底起已作为电子邮件网络钓鱼活动的一部分进行传播。

"Latrodectus is an up-and-coming downloader with various sandbox evasion functionality," researchers from Proofpoint and Team Cymru said in a joint analysis published last week, adding it's designed to retrieve payloads and execute arbitrary commands.

"Latrodectus是一种新兴的下载器，具有各种沙箱逃避功能，"Proofpoint和Team Cymru的研究人员在上周发布的联合分析中说，该下载器旨在检索有效载荷并执行任意命令。

There is evidence to suggest that the downloader is likely written by the same threat actors behind the IcedID malware, with the downloader put to use by initial access brokers (IABs) to facilitate the deployment of other malware.

有证据表明，这个下载器很可能是由与IcedID恶意软件背后的威胁行为者编写的，该下载器被初步访问经纪人（IABs）用于促进其他恶意软件的部署。

Latrodectus has been primarily linked to two different IABs tracked by Proofpoint under the names TA577 (aka Water Curupira) and TA578, the former of which has also been linked to the distribution of QakBot and PikaBot.

Latrodectus主要与Proofpoint跟踪的两个不同IABs相关联，分别称为TA577（又名Water Curupira）和TA578，前者还与QakBot和PikaBot的分发相关联。

As of mid-January 2024, it's been employed almost exclusively by TA578 in email threat campaigns, in some cases delivered via a DanaBot infection.

截至2024年1月中旬，TA578几乎完全被用于电子邮件威胁活动，有时通过DanaBot感染进行传递。

TA578, known to be active since at least May 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.

TA578自2020年5月至少活动以来，已被证实与通过电子邮件传送Ursnif，IcedID，KPOT Stealer，Buer Loader，BazaLoader，Cobalt Strike和Bumblebee相关的活动相关联。

Attack chains leverage contact forms on websites to send legal threats regarding alleged copyright infringement to targeted organizations. The links embedded in the messages direct the recipients to a bogus website to trick them into downloading a JavaScript file that's responsible for launching the main payload using msiexec.

攻击链利用网站上的联系表单向有关组织发送关于涉嫌侵犯版权的法律威胁。消息中嵌入的链接将接收者引导至一个虚假网站，以欺骗他们下载一个负责使用msiexec启动主有效载荷的JavaScript文件。

"Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot," the researchers said. "Once the bot registers with the C2, it sends requests for commands from the C2."

"Latrodectus将加密的系统信息发布到命令与控制服务器（C2）并请求下载机器人，"研究人员说。"一旦机器人在C2上注册，它就会从C2发送命令请求。"

It also comes with capabilities to detect if it's running in a sandboxed environment by checking if the host has a valid MAC address and there are at least 75 running processes on systems running Windows 10 or newer.

它还具有检测是否在沙箱环境中运行的能力，方法是检查主机是否具有有效的MAC地址，并且运行的Windows 10或更新版本的系统上至少有75个运行进程。

Like in the case of IcedID, Latrodectus is designed to send the registration information in a POST request to the C2 server where the fields are HTTP parameters stringed together and encrypted, after which it awaits further instructions from the server.

与IcedID一样，Latrodectus设计为将注册信息通过POST请求发送到C2服务器，其中字段是HTTP参数字符串并加密，之后它等待来自服务器的进一步指示。

The commands allow the malware to enumerate files and processes, execute binaries and DLL files, run arbitrary directives via cmd.exe, update the bot, and even shut down a running process.

这些命令使恶意软件能够枚举文件和进程，执行二进制文件和DLL文件，通过cmd.exe运行任意指令，更新机器人，甚至关闭正在运行的进程。

A further examination of the attacker infrastructure reveals that the first C2 servers came alive on September 18, 2023. These servers, in turn, are configured to communicate with an upstream Tier 2 server that was set up around August 2023.

对攻击者基础设施的进一步审查显示，第一批C2服务器于2023年9月18日启用。这些服务器又配置为与2023年8月左右建立的上游Tier 2服务器通信。

Latrodectus' connections to IcedID stems from the fact that the T2 server "maintains connections with backend infrastructure associated with IcedID" and use of jump boxes previously associated with IcedID operations.

Latrodectus与IcedID的连接源于T2服务器与“与IcedID相关的后端基础设施保持连接”，并且使用跳板服务器，这些跳板服务器先前与IcedID运营相关联。

The threat actors' shift to DarkGate, Latrodectus, and PikaBot over the past several months comes in the wake of a law enforcement operation that neutralized QakBot in late August 2023, although the malware has been deployed in low-volume campaigns as of December and there are indications that a new variant of the botnet is undergoing active development.

过去几个月来，威胁行为者转向DarkGate、Latrodectus和PikaBot，这是在一项执法行动中中和了QakBot后发生的，尽管QakBot自2023年8月末以来已在一些低量级活动中部署，并且有迹象表明该僵尸网络的新变种正在积极开发中。

"Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID," Team Cymru assessed.

"Latrodectus将在犯罪格局中变得越来越受到财务动机的威胁行为者的青睐，尤其是那些以前分发IcedID的威胁行为者，"Team Cymru评估。

参考资料

[1]https://thehackernews.com/2024/04/watch-out-for-latrodectus-this-malware.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中