Skip to content

Latrodectus evades detection with Azure and Cloudflare lures

  • by
  • 3 min read

Illustration: Supimol Kumying | Shutterstock

Sophisticated malicious software, Latrodectus, or Unidentified 111 and IceNova, has been detected in phishing campaigns that leverage deceptive tactics, using Microsoft Azure and Cloudflare lures to mask malicious intent.

Initially identified by Walmart’s security team and further analysed by cybersecurity experts at ProofPoint and Team Cymru, Latrodectus functions as a potent Windows malware downloader with backdoor capabilities. Its modus operandi includes downloading additional EXE and DLL payloads or executing commands, posing a significant risk to targeted systems.

Researchers have established a connection between Latrodectus and the developers behind the notorious IcedID modular malware loader, suggesting a potential evolution in cybercriminals’ strategies.

According to a report by Bleeping Computer, security analysts ProxyLife and the Cryptolaemus group have documented Latrodectus’s deployment techniques, including its recent use of PDF lures and a fake Cloudflare captcha to bypass security measures.

This campaign’s modus operandi revolves around reply-chain phishing emails, a tactic where threat actors exploit stolen email exchanges to disseminate malicious links or attachments.

ProxyLife emphasised that the current wave of attacks employs PDF attachments or embedded URLs masquerading as legitimate documents hosted on Microsoft Azure cloud services. Upon interaction, unsuspecting users are redirected to a counterfeit ‘Clourdflare security check’ posing as a benign math-based captcha.

This clever ruse aims to evade email security scanners and sandboxes by engaging users in seemingly innocuous interactions while concealing the malicious payload delivery process.

Upon successfully completing the captcha, a JavaScript file is automatically downloaded and camouflaged as a document file. This JavaScript file, intricately obfuscated to thwart detection, initiates a chain of actions culminating in the installation of Latrodectus as an MSI file disguised within the % AppData%Custom_update directory.

Subsequently, this malware establishes a foothold within the system, operating surreptitiously to facilitate further malware deployment or command execution.

The implications of Latrodectus infections are dire, potentially leading to cascading cyber attacks with devastating consequences. Current observations indicate instances where Latrodectus has facilitated the deployment of information stealers like Lumma and banking trojans like Danabot.

Also, the malware’s association with IcedID hints at a broader spectrum of threats looming, including the possibility of collaborations with ransomware entities like Cobalt Strike.

While transitioning from IcedID to Latrodectus remains speculative, the surge in Latrodectus’s usage in phishing campaigns and contact form spam underscores its growing prevalence as a preferred tool for initial network infiltration.

Researchers have urged immediate isolation of affected systems and comprehensive network assessment to mitigate the risk of further compromise.

In the News: OneAIChat debuts AI aggregator platform integrating 5 LLMs

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>