Pages

Monday, November 11, 2024

2024-10-30 Lunar Spider's Latrodectus JS loader samples

2024-10-30 EclecticIQ: Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Key technical observations include:

Malvertising and SEO Poisoning: Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution). This method exemplifies advanced evasion tactics to bypass detection.

Command and Control (C2) Infrastructure:

BRc4 communicates with multiple C2 domains, such as bazarunet[.]com and tiguanin[.]com, allowing remote access and command execution on compromised systems.

Persistent infrastructure overlaps include SSL certificates with issuer fields "AU," "Some-State," and "Internet Widgits Pty Ltd," frequently linked to LUNAR SPIDER’s IcedID operations. Additionally, ASN 395092 (SHOCK-1) consistently hosts both IcedID and Latrodectus campaigns, indicating a shared resource pool across malware families.

The BRc4 payload modifies the Windows registry, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence across reboots.

Intelligence indicates LUNAR SPIDER shares infrastructure and malware services with other groups like ALPHV/BlackCat and WIZARD SPIDER. For instance, domains such as peronikilinfer[.]com and jkbarmossen[.]com were both hosted on IP 173[.]255[.]204[.]62, serving as C2s for IcedID and Latrodectus, respectively.

This infrastructure overlap, along with passive DNS correlations, suggests tight operational ties and indicates LUNAR SPIDER’s role as a critical access broker for ransomware operators.

The Document-16-32-50.js script was obfuscated to evade detection. Analysts de-obfuscated the script, revealing its function to download and execute the MSI payload from 45[.]14[.]244[.]124/dsa.msi. The script checks for Windows installer processes (WindowsInstaller.Installer) and contains specific drive checks (i < drives.length) for execution control flow.

Download
File Information
  • ├── Brute Ratel C4
  • │   ├── 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
  • │   ├── 28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc
  • │   ├── 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
  • │   └── c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7
  • ├── Latrodectus JS
  • │   ├── 6dabcf67c89c50116c4e8ae0fafb003139c21b3af84e23b57e16a975b7c2341f
  • │   ├── 937d07239cbfee2d34b7f1fae762ac72b52fb2b710e87e02fa758f452aa62913
  • │   └── fb242f64edbf8ae36a4cf5a80ba8f21956409b448eb0380949bb9152373db981
  • └── msi
  •     ├── 1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
  •     ├── 29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
  •     ├── c3f8ebc9cfb7ebe1ebbe3a4210753b271fecf73392fef98519b823a3e7c056c7
  •     └── ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

No comments:

Post a Comment