We found a new Latrodectus version (1.4) which switched its string encryption routine to AES-256.
This new version also utilizes the /test/ C2 endpoint, indicating that it is an early testing sample for this version.
In a nutshell:
PRNG and XOR string decryption replaced by AES-256
New FNV1a32 Campaign ID 619171486 translates to Campaign Wiski
New RC4 key “2sDbsEUXvhgLOO4Irt8AF6el3jJ0M1MowXyao00Nn6ZUjtjXwb” to encrypt the C2 traffic
Switching to new C2 endpoint /test/ instead of /live/, indicating a development version
Stealthy self-deletion technique by renaming primary data stream to :wtfbbq
Places a mutex called running
Sample SHA256:
5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
join VMRay for two powerhouse webinars designed to sharpen your threat detection and response capabilities — featuring a special joint session with Red Canary:
Live session's over. Watch the on-demand video to learn how VMRay and Red Canary combine forces to deliver faster, smarter threat detection!
Learn how to cut phishing triage time with automated detonation and deep analysis — quickly uncover threats while improving response accuracy!
