LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Key technical observations include:
Malvertising and SEO Poisoning: Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution). This method exemplifies advanced evasion tactics to bypass detection.
Command and Control (C2) Infrastructure:
BRc4 communicates with multiple C2 domains, such as bazarunet[.]com and tiguanin[.]com, allowing remote access and command execution on compromised systems.
Persistent infrastructure overlaps include SSL certificates with issuer fields "AU," "Some-State," and "Internet Widgits Pty Ltd," frequently linked to LUNAR SPIDER’s IcedID operations. Additionally, ASN 395092 (SHOCK-1) consistently hosts both IcedID and Latrodectus campaigns, indicating a shared resource pool across malware families.
The BRc4 payload modifies the Windows registry, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence across reboots.
Intelligence indicates LUNAR SPIDER shares infrastructure and malware services with other groups like ALPHV/BlackCat and WIZARD SPIDER. For instance, domains such as peronikilinfer[.]com and jkbarmossen[.]com were both hosted on IP 173[.]255[.]204[.]62, serving as C2s for IcedID and Latrodectus, respectively.
This infrastructure overlap, along with passive DNS correlations, suggests tight operational ties and indicates LUNAR SPIDER’s role as a critical access broker for ransomware operators.
The Document-16-32-50.js script was obfuscated to evade detection. Analysts de-obfuscated the script, revealing its function to download and execute the MSI payload from 45[.]14[.]244[.]124/dsa.msi. The script checks for Windows installer processes (WindowsInstaller.Installer) and contains specific drive checks (i < drives.length) for execution control flow.
- ├── Brute Ratel C4
- │ ├── 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
- │ ├── 28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc
- │ ├── 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
- │ └── c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7
- ├── Latrodectus JS
- │ ├── 6dabcf67c89c50116c4e8ae0fafb003139c21b3af84e23b57e16a975b7c2341f
- │ ├── 937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913
- │ └── fb242f64edbf8ae36a4cf5a80ba8f21956409b448eb0380949bb9152373db981
- └── msi
- ├── 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
- ├── 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
- ├── c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7
- └── ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
No comments:
Post a Comment