We found a new Latrodectus version (1.4) which switched its string encryption routine to AES-256.Â
This new version also utilizes the /test/ C2 endpoint, indicating that it is an early testing sample for this version.
In a nutshell:
Â
PRNG and XOR string decryption replaced by AES-256
Â
New FNV1a32 Campaign ID 619171486 translates to Campaign Wiski Â
Â
New RC4 key “2sDbsEUXvhgLOO4Irt8AF6el3jJ0M1MowXyao00Nn6ZUjtjXwb” to encrypt the C2 traffic Â
Â
Switching to new C2 endpoint /test/ instead of /live/, indicating a development version Â
Â
Stealthy self-deletion technique by renaming primary data stream to :wtfbbq Â
Â
Places a mutex called running
Sample SHA256:
5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
