Attackers have adopted a new tactic to spread malicious software, known as Latrodectus, through phishing campaigns. They are disguising the malware as notifications from Microsoft Azure and Cloudflare, making it difficult for security systems to detect.
Latrodectus, also known as Unidentified 111 or Icenova, is a malicious software bootloader that downloads additional EXE and DLL files or commands. The malware has been analyzed by experts from Proofpoint and Team Cymru.
According to a report by data researcher Proxylife and the Cryptolaemus group, the latest Latrodectus campaign is using a fake Cloudflare captcha to bypass security systems. The attackers are distributing phishing emails with links or attachments that lead to the installation of the malicious software.
These phishing emails contain PDF files or embedded URLs that trigger a chain of attacks resulting in the installation of Latrodectus. Users are directed to a fake security inspection page from Cloudflare when they click on the “Download Document” button, where they are prompted to solve a simple math problem to proceed.
Once the correct answer is entered, a JavaScript file is loaded, disguising itself as a document with embedded code. This code then downloads an MSI file from a hardcoded URL, which, when installed in the “%Appdata% Custom_update” folder, places a DLL file that is activated using “Rundll32.exe.”
Latrodectus operates in the background, waiting for additional modules or commands to be installed. It has been observed that Latrodectus has been delivered by Lamma and Danabot. Since Latrodectus is linked to ICEDID for initial access to corporate networks, infections could lead to the deployment of other malware in the future, such as Cobalt Strike, and potential collaborations with ransomware groups.
If a device is infected, it is crucial to disconnect it from the network immediately and monitor the network for any suspicious activity.