Latrodectus updates to version 1.4 with AES-256 string encryption

We found a new Latrodectus version (1.4) which switched its string encryption routine to AES-256. 

This new version also utilizes the /test/ C2 endpoint, indicating that it is an early testing sample for this version.

In a nutshell:

 

PRNG and XOR string decryption replaced by AES-256

 

New FNV1a32 Campaign ID 619171486 translates to Campaign Wiski  

 

New RC4 key “2sDbsEUXvhgLOO4Irt8AF6el3jJ0M1MowXyao00Nn6ZUjtjXwb” to encrypt the C2 traffic  

 

Switching to new C2 endpoint /test/ instead of /live/, indicating a development version  

 

Stealthy self-deletion technique by renaming primary data stream to :wtfbbq  

 

Places a mutex called running

Dive deeper into the report

Sample SHA256:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

Map the malicious activities on the MITRE ATT&CK Framework

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Days
Hours
Minutes
Seconds

Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!