Latrodectus Unveils Stealthy New Anti-Debugging & Sandbox Evasion Tricks

Latrodectus, a newly discovered malware, has rapidly evolved since its emergence in October 2023. Initially tied to the defunct IcedID loader, Latrodectus has become a prominent player in the cybercriminal landscape. 

Its developers have frequently released new versions, likely to evade detection, while researchers prioritized extracting malware configurations from these versions to provide the customers with accurate and timely indicators of compromise.

Latrodectus exhibiting 4 exports with the same export address

The Latrodectus malware family has undergone significant evolution over the past year, with several iterations released from September 2023 to September 2024. 

Initial versions employed a simple XOR algorithm for string decryption, which was later replaced by a rolling XOR method and eventually upgraded to AES-256 encryption. 

The malware’s functionality has also expanded, with new command IDs introduced to allow for arbitrary file downloads and other actions. 

While some features, such as ADS self-deletion, have been removed in recent versions, the overall complexity and sophistication of Latrodectus have steadily increased.

Latrodectus enumerating Windows OS version

It employs a dual-pronged approach to evade sandboxes, as first it verifies the Windows OS version to determine a minimum threshold of active processes required to launch, accounting for variations between different versions. 

Second, it checks the validity of network adapter MAC addresses, ensuring they conform to the standard 6-byte length, which aim to create a more realistic environment, making it harder for sandboxes to detect and isolate the malicious activity.

The malware employs a multi-layered evasion technique to avoid detection, where it first checks the PEB data structure for the BeingDebugged flag, a more subtle approach than directly calling the IsDebuggerPresent API. 

 A rare network card check to verify validity of MAC addresses

Next, it validates if the process is running under WOW64, exiting if it’s a 32-bit process on a 64-bit OS. While the purpose of this check is unclear, it might be designed to detect specific emulation environments.

By employing various encryption techniques, it protects its strings, as early versions used a PRNG for XOR encryption, while later ones switched to rolling XOR with an incrementer seed. 

The latest iterations leverage AES-256 in CTR mode with a hardcoded key. Encrypted strings reside in the .data section, with the format changing based on the encryption algorithm. 

For runtime API resolution, Latrodectus utilizes PEB to locate kernel32.dll and ntdll.dll, then employs CRC32 checksums of filenames and hardcoded hashes to find other libraries. 

CRC32-based API hashing in Latrodectus

Finally, it uses COM objects to establish persistence by creating a scheduled task that points to a dropped malicious DLL, where a mutex with the name “runnung” prevents re-infection. 

VMray analyzes Latrodectus, a malware loader suspected to be a successor to IcedID, which uses various techniques to evade detection and generates unique group IDs per version for C2 communication, which are hashed with FNV-1a. 

Hardware IDs are created by multiplying the victim’s volume serial number with a hardcoded constant. For persistence, Latrodectus employs a self-deletion method using the SetFileInformationByHandle API. 

Network communication involves an initial check-in with a hardcoded User-Agent string and RC4-encrypted parameters, while the C2 server can issue various commands to the infected host, including downloading and executing next-stage payloads, stealing files, and updating the bot.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here