New Latrodectus Malware Attacks Use Microsoft, Cloudflare Themes

Latrodectus, also known as Unidentified 111 and IceNova, is a Windows malware downloader that acts as a backdoor, allowing threat actors to gain unauthorized access to compromised systems. The malware was initially discovered by Walmart's security team and later analyzed by cybersecurity firms such as ProofPoint and Team Cymru.

Phishing campaigns distributing Latrodectus are designed to appear legitimate, often using tactics that make it difficult for email security platforms to detect them as malicious. One such tactic involves leveraging Microsoft Azure and Cloudflare lures. Microsoft Azure is a legitimate cloud computing platform, and Cloudflare is a content delivery network and cybersecurity company. By mimicking these reputable services, attackers increase the chances of users falling for the phishing emails.

The distribution of Latrodectus typically starts with phishing emails that are part of reply-chain attacks. In these attacks, threat actors hijack legitimate email threads and reply to them with malicious links or attachments. These emails may contain PDF lures that appear to be hosted on Microsoft Azure cloud, enticing users to download and open the attached files. Upon opening the PDFs, users are prompted to download additional content, often disguised as legitimate documents. This content is actually JavaScript files that initiate the download and installation of Latrodectus malware when executed. The malware is then installed on the victim's system, where it operates stealthily, awaiting further instructions from the attackers.

Security Officer Comments:
The presence of Latrodectus on a compromised system poses significant risks, as it can be used to drop additional malware payloads, such as information-stealers like Lumma and banking trojans like Danabot. Given its link to IcedID, Latrodectus infections may also pave the way for more sophisticated attacks, including ransomware deployments.

What sets Latrodectus apart is its association with the developers behind the IcedID modular malware loader. IcedID is a well-known threat used for banking trojans and credential theft. While it's unclear if Latrodectus is intended to replace IcedID entirely, its emergence in phishing campaigns indicates a shift towards using Latrodectus for initial access to corporate networks.

Suggested Corrections:
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts. Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt. If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.