Latrodectus is a Windows malware downloader first detected in October 2023 that functions as a backdoor. The malware downloads executable and DLL payloads. Latrodectus can also execute commands. Threat actors are increasingly using Latrodectus malware to target businesses in the financial, automotive, and healthcare sectors.

Latrodectus primarily spreads through phishing emails containing malicious attachments disguised as seemingly innocuous documents. These attachments typically come in two flavors:

• PDF Variant: This variant masquerades as a DocuSign request, enticing the victim to click on a link that leads to the download of a malicious payload.
• HTML Variant: This variant employs a deceptive tactic, displaying a fake “failed display” popup that prompts the user to click a “Solution” button, ultimately triggering the download of the malware.

Both variants rely on obfuscated JavaScript embedded within the attachment to initiate the infection process. This JavaScript, cleverly concealed amidst a sea of junk comments, downloads and executes a malicious DLL file, which serves as the entry point for the Latrodectus backdoor.

Installation and Execution:

The installation process differs slightly between the two variants:

• PDF Variant: The JavaScript downloads an MSI installer, which in turn drops the malicious DLL. This DLL is then executed using rundll32.exe, ultimately unpacking the final payload in memory.
• HTML Variant: The JavaScript directly downloads and executes the malicious DLL using rundll32.exe, bypassing the need for an MSI installer.

Once installed, the Latrodectus backdoor establishes a connection with its command-and-control (C2) server, typically using the uncommon port 8041. This connection allows the attackers to remotely control the compromised system and carry out their malicious objectives.

Impact and Consequences:

The successful installation of Latrodectus can have severe repercussions for victims, including:

• PII Exfiltration: The malware can steal sensitive personal information, such as names, addresses, and financial details.
• Financial Loss: Attackers can leverage the malware to commit fraud or extort money from victims.
• Compromise of Sensitive Information: Latrodectus can grant attackers access to confidential data, potentially leading to intellectual property theft or espionage.

Analysis and Mitigation:

Forcepoint researchers have identified several key characteristics of the Latrodectus attacks:

• Abuse of Older Emails: Attackers often exploit older email threads to lend credibility to their phishing attempts.
• URL Shorteners and Legitimate Hosting: Malicious payloads are frequently hosted on reputable platforms like storage.googleapis.com0/94, making them appear less suspicious.

To mitigate the risk of Latrodectus infection, users should exercise caution when opening email attachments, especially those from unknown or untrusted senders. Additionally, organizations should implement robust email security measures and educate their employees about phishing threats.

Source: Securityweek