Researchers have recorded a sharp increase in campaigns with the use of dangerous malware.
Since the beginning of March this year, cybersecurity researchers have recorded a sharp increase in phishing campaigns aimed at distributing the new Latrodectus malware downloader (translated as "black widow"), which is considered the successor to IcedID.
Experts from Elastic Security Labs, Daniel Stepanich and Samir Boussaden, reported that these campaigns use large JavaScript files that use the capabilities of WMI to run "msiexec.exe" and install a remotely hosted MSI file via WEBDAV.
Latrodectus has standard features typical of malware designed to download additional payloads, such as QakBot, DarkGate, and PikaBot, which allows attackers to perform various post-operational actions. The analysis showed that the malware is actively engaged in enumerating and executing commands, and also includes a self-deletion technique.
In addition, Latrodectus disguises itself as libraries associated with legitimate software, uses source code obfuscation, and performs analysis checks to prevent it from running in a debugging environment or sandbox.
The malware also establishes a permanent presence on Windows systems through scheduled tasks and communicates with the Command and Control (C2) server via HTTPS to receive commands that allow it to collect information about the system, update, restart, terminate its work, run shellcode, DLLs, and executable files.
Among the new commands added to Latrodectus since the end of last year, there are commands to list files on the desktop and get the entire chain of running processes on the infected device. The malware also supports a command to download and execute icedids, although Elastic researchers have not documented this behavior in practice.
"It is obvious that there is some kind of connection or working arrangement between IcedID and Latrodectus," the experts said. "There is a hypothesis that Latrodectus is being actively developed as a replacement for IcedID, and the download command #18 has been enabled until developers are convinced of the capabilities of the new malware."
Thus, attackers are constantly improving their methods of distributing malware, creating new sophisticated loaders and bots to penetrate computer systems. They adapt and use advanced masking techniques to avoid detection by antivirus programs.
It is essential to regularly update security tools, raise user awareness, and implement multi-level protection to counter the ever-changing cyber threats.
Since the beginning of March this year, cybersecurity researchers have recorded a sharp increase in phishing campaigns aimed at distributing the new Latrodectus malware downloader (translated as "black widow"), which is considered the successor to IcedID.
Experts from Elastic Security Labs, Daniel Stepanich and Samir Boussaden, reported that these campaigns use large JavaScript files that use the capabilities of WMI to run "msiexec.exe" and install a remotely hosted MSI file via WEBDAV.
Latrodectus has standard features typical of malware designed to download additional payloads, such as QakBot, DarkGate, and PikaBot, which allows attackers to perform various post-operational actions. The analysis showed that the malware is actively engaged in enumerating and executing commands, and also includes a self-deletion technique.
In addition, Latrodectus disguises itself as libraries associated with legitimate software, uses source code obfuscation, and performs analysis checks to prevent it from running in a debugging environment or sandbox.
The malware also establishes a permanent presence on Windows systems through scheduled tasks and communicates with the Command and Control (C2) server via HTTPS to receive commands that allow it to collect information about the system, update, restart, terminate its work, run shellcode, DLLs, and executable files.
Among the new commands added to Latrodectus since the end of last year, there are commands to list files on the desktop and get the entire chain of running processes on the infected device. The malware also supports a command to download and execute icedids, although Elastic researchers have not documented this behavior in practice.
"It is obvious that there is some kind of connection or working arrangement between IcedID and Latrodectus," the experts said. "There is a hypothesis that Latrodectus is being actively developed as a replacement for IcedID, and the download command #18 has been enabled until developers are convinced of the capabilities of the new malware."
Thus, attackers are constantly improving their methods of distributing malware, creating new sophisticated loaders and bots to penetrate computer systems. They adapt and use advanced masking techniques to avoid detection by antivirus programs.
It is essential to regularly update security tools, raise user awareness, and implement multi-level protection to counter the ever-changing cyber threats.
