Latrodectus Employs New anti-Debugging And Sandbox Evasion Techniques

Latrodectus, a new malware loader, has rapidly evolved since its discovery, potentially replacing IcedID.

It includes a command to download IcedID and has undergone multiple iterations, likely to evade detection. 

Extracting configurations from these versions is crucial for effective threat detection, as the Latrodectus malware has evolved over the past year, with new versions released every few months. 

The malware’s distribution chain has remained consistent, utilizing JavaScript and MSI droppers to deliver the final DLL payload.

The payload itself has undergone changes, with the most recent version featuring four unique exports that share the same address and execute the same core logic.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

VMRay Platform’s dynamic analysis reveals the malicious behavior of Latrodectus

The Latrodectus malware family evolved its decryption methods, transitioning from PRNG-based XOR to rolling XOR and adopting AES-256 CTR.

Additionally, it expanded its command-and-control capabilities with new commands and removed specific self-deletion techniques.

It employs a process count check to evade sandboxes by enumerating the Windows version and terminating if the number of active processes falls below a threshold specific to the OS.

The VMRay Platform counters this, allowing users to adjust the background process count during analysis.

Latrodectus enumerating Windows OS version

The evasion check verifies if the MAC address length is 6 bytes. If not, the program terminates a security measure to prevent unauthorized access, as non-standard MAC addresses could indicate potential threats or vulnerabilities.

The malware checks if it’s being debugged by examining the PEB’s BeingDebugged flag and if it’s running on WOW64, and the check might be to detect emulation scenarios.

Checking the running process against IsWow64Process

Latrodectus initially used a PRNG for string encryption but later switched to a rolling XOR method.

Currently, it employs AES-256 with a hardcoded key and variable IV. Encrypted strings are stored in the .data section with length and IV information preceding the encrypted data.

It resolves DLLs and APIs using CRC32 checksums by comparing filenames and function exports with hardcoded values. The open-source tool HashDB can assist in reversing these hashes.

CRC32-based API hashing in Latrodectus

By copying itself to the %APPDATA% folder with a unique filename based on the hardware ID, it then uses COM to create a scheduled task that runs the malware whenever the user logs on.

It also uses a hardcoded mutex to prevent re-infection and generates unique group IDs for each version, which IDs are used to create an FNV1a hash that can be brute-forced to determine the campaign name.

A script was created to generate a massive wordlist and iterate through it to find the matching hash.

Command handler IDs for more functionalities

According to VMray, Latrodectus is a new malware loader that uses a unique hardware ID generation based on volume serial number and a hardcoded constant, which can self-delete using a technique observed in DarkSide and other malware. 

It communicates with the C2 server using a specific User Agent string and sends RC4 encrypted data with various parameters. The C2 server can send commands to the infected host to perform various malicious activities.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago