Latrodectus is an advanced malware loader that poses a serious threat to Windows systems. It is associated with threat actors TA577 and TA578, as well as the IcedID banking trojan. Typically distributed via phishing campaigns, it delivers malicious attachments or links that, once executed, allow the malware to connect with a command-and-control (C&C) server. On infected systems, Latrodectus copies itself to a hidden directory (%AppData%\falsify_steward\confrontation_98065856.exe) and establishes persistence by creating a scheduled task (C:\Windows\System32\Tasks\anxiety) to ensure it runs after system reboots. The malware also uses DLL side-loading to execute its main component and communicates with the C&C server to receive commands and exfiltrate stolen data. This explains how Argus can be utilized to detect and mitigate Latrodectus malware on Windows endpoints.
REQUIREMENTS
- Argus server or Argus manager
- A windows victim endpoint with Argus agent installed
DETECTION CRITERIA
Use Sysmon to monitor several system events on the victim Windows endpoint and create rules on the Argus server to detect the malicious activities of Latrodectus.
Windows endpoint
Steps to configure the Sysmon on the endpoint and forward logs in the Sysmon event channel to Argus server for analysis
- Download Sysmon from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- Extract the compressed Sysmon file to your location
- By using Powershell download the Sysmon Configuration file-sysmonconfig.xml. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
- Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
- Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Argus server:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
- Restart the Argus agent
Restart-Service -Name wazuh
Argus server
We create custom rules to generate alerts when the Latrodectus malware activities are detected on the windows endpoint.
Steps to create detection rules on the Argus server
1. Add the custom rules for the Latrodectus malware below to the /var/ossec/etc/rules/latrodectus_rules.xml file:
<group name=”latrodectus,”>
<!– Suspicious file creation –>
<rule id=”100900″ level=”12″>
<if_sid>61613</if_sid>
<field name=”win.eventdata.image” type=”pcre2″>(?i)\\\\.+(exe|dll|bat|msi)</field>
<field name=”win.eventdata.targetFilename” type=”pcre2″>\\\\Roaming\\\\falsify_steward\\\\.*exe</field>
<description>$(win.eventdata.image) created the executable $(win.eventdata.targetFilename). Latrodectus malware activity detected.</description>
<mitre>
<id>T1204.002</id>
</mitre>
</rule>
<!– Persistence detection –>
<rule id=”100901″ level=”12″>
<if_sid>61613</if_sid>
<field name=”win.eventdata.image” type=”pcre2″>svchost.exe</field>
<field name=”win.eventdata.targetFilename” type=”pcre2″>\\\\Windows\\\\System32\\\\Tasks\\\\anxiety</field>
<description>New task creation detected $(win.eventdata.targetFilename). Latrodectus malware detected.</description>
<mitre>
<id>T1204.002</id>
<id>T1547.001</id>
</mitre>
</rule>
<!– Latrodectus executable Sideloading –>
<rule id=”100902″ level=”12″>
<if_sid>61609</if_sid>
<field name=”win.eventdata.image” type=”pcre2″>(?i)\\\\Roaming\\\\falsify_steward\\\\.*exe</field>
<field name=”win.eventdata.imageLoaded” type=”pcre2″>(?i)\\\\Roaming\\\\falsify_steward\\\\.*exe</field>
<description>$(win.eventdata.image) executable loaded. Latrodectus malware detected.</description>
<mitre>
<id>T1073</id>
<id>T1204.002</id>
</mitre>
</rule>
<!– Outbound network connection –>
<rule id=”100903″ level=”12″ ignore=”600″>
<if_sid>61605</if_sid>
<field name=”win.eventdata.image” type=”pcre2″>(?i)\\\\Roaming\\\\falsify_steward\\\\.*exe</field>
<field name=”win.eventdata.destinationIp” type=”pcre2″>\d+.\d+.\d+.\d+</field>
<description>Latrodectus malware related activity: Network connection to $(win.eventdata.destinationIp):$(win.eventdata.destinationPort) detected.</description>
<mitre>
<id>T1071</id>
</mitre>
</rule>
</group>
MONITORING THE ALERTS
The below alerts are generated on the Argus dashboard when Latrodectus malware is executed on the endpoint.
Steps to view the a;erts on Argus dashboard
1. Navigate to Threat Hunting > Events
2. Click on Add filter
3. Filter for rule.id in the Field
4. Filter for is one of Operator and give 100900, 100902 in the Values field
5. Click on Save
Rule ID 100900 is triggered when Latrodectus replicates itself in a hidden system location.
Rule ID 100902 is triggered when Latrodectus sideloads itself from a hidden location.
DETECTING AND REMOVING LATRODECTUS MALWARE WITH VIRUSTOTAL AND INCIDENT RESPONSE
VirusTotal is a security platform that combines antivirus engines and online scanning tools. It provides an API for checking URLs, IP addresses, domains, or file hashes for potential security threats. Argus can be configured to automatically query the VirusTotal API with the hashes of files created or modified on monitored endpoints.
To enhance threat detection, we configure the Argus File Integrity Monitoring (FIM) module to track and scan files added or modified in specific directories on Windows endpoints. Additionally, the Argus incident response module is set up to automatically remove files flagged as malicious by VirusTotal, ensuring prompt mitigation of potential threats.
Windows endpoint
Configure Argus FIM module and create an active response script
Configuring FIM module steps includes:
1.Append the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Argus agent to monitor the intrusion of the Latrodectus malware file. In our case, we configure the FIM module to monitor the Downloads folder:
<ossec_config>
<syscheck>
<directories check_all=”yes” realtime=”yes”>C:\Users\*\Downloads</directories>
</syscheck>
</ossec_config>
2.Restart the Argus agent by running the Powershell commands as an administrator.
Restart-Service -Name wazuh
Active response Python script configuration steps includes:
We create an active response script to remove the Latrodectus malware when VirusTotal identifies it as a threat.
1.Download Python 3.12.6 and run the installer. Select the following checkboxes on the installer dialog box:
- Use admin privileges when installing py.exe.
- Add Python.exe to PATH.
2.Run the following command with administrative privilege to install Pyinstaller via PowerShell:
>> pip install -U pyinstaller
3.Create an active response script remove-threat.py on the Windows endpoint with the following content:
#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
if os.name == ‘nt’:
LOG_FILE = “C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log”
else:
LOG_FILE = “/var/ossec/logs/active-responses.log”
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = “”
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode=”a”) as log_file:
log_file.write(str(datetime.datetime.now().strftime(‘%Y/%m/%d %H:%M:%S’)) + ” ” + ar_name + “: ” + msg +”\n”)
def setup_and_check_message(argv):
# get alert from stdin
input_str = “”
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)
message.command = OS_INVALID
return message
message.alert = data
command = data.get(“command”)
if command == “add”:
message.command = ADD_COMMAND
elif command == “delete”:
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], ‘Not valid command: ‘ + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({“version”: 1,”origin”:{“name”: argv[0],”module”:”active-response”},”command”:”check_keys”,”parameters”:{“keys”:keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = “”
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)
return message
action = data.get(“command”)
if “continue” == action:
ret = CONTINUE_COMMAND
elif “abort” == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], “Invalid value of ‘command'”)
return ret
def main(argv):
write_debug_file(argv[0], “Started”)
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert[“parameters”][“alert”]
keys = [alert[“rule”][“id”]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], “Aborted”)
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], “Invalid command”)
sys.exit(OS_INVALID)
try:
os.remove(msg.alert[“parameters”][“alert”][“data”][“virustotal”][“source”][“file”])
write_debug_file(argv[0], json.dumps(msg.alert) + ” Successfully removed threat”)
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + “Error removing threat”)
else:
write_debug_file(argv[0], “Invalid command”)
write_debug_file(argv[0], “Ended”)
sys.exit(OS_SUCCESS)
if __name__ == “__main__”:
main(sys.argv)
4.Convert the Python script remove-threat.py to an executable file by running the command below:
>> pyinstaller -F remove-threat.py
5.Move the executable file remove-threat.exe from the \dist folder under your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin.
6.Restart the Argus agent to apply the changes by running the following PowerShell command as an administrator
>> Restart-Service -Name wazuh
Argus server
We configure VirusTotal to scan files monitored on Windows endpoints against public malware engines for signs of malicious behavior. If VirusTotal identifies a file as malicious, the Argus active response module is set to execute the remove-threat command to eliminate the threat automatically.
VirusTotal Configuration
1.Get your API key
2.Append the configuration below to the /var/ossec/etc/ossec.conf file to scan the files with VirusTotal:
<ossec_config>
<integration>
<name>virustotal</name>
<api_key><API_KEY></api_key> <!– Replace with your VirusTotal API key –>
<rule_id>554,550</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
Note: Replace the <API_KEY> with your VirusTotal API key.
Active response configuration
Append the following configuration to the /var/ossec/etc/ossec.conf file:
<ossec_config>
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
</ossec_config>
Add the following rules to the /var/ossec/etc/rules/local_rules.xml file to generate alerts when the active response module successfully removes the malicious files.
<group name=”virustotal,”>
<!– VirusTotal detection rules –>
<rule id=”100204″ level=”12″>
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
<rule id=”100205″ level=”12″>
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
3. Restart the Argus manager
>> systemctl restart wazuh-manager
INCIDENT RESPONSE RESULT
To test the configuration, a sample of the Latrodectus malware is added to the Downloads folder on the victim Windows endpoint. Perform the following steps to view the detection and incident response alert on the Argus dashboard.
1. Navigate to Threat Hunting > Events
2. Click on Add filter
3. Filter for rule.id in the Field
4. Filter for 553, 554 in the Values field
5. Click on Save
CONCLUSION
This use case demonstrates how to use Argus to detect and respond to Latrodectus malware on a Windows endpoint. By integrating Sysmon, we enhance Windows event logs from the affected endpoint and create detection rules for malicious activities linked to Latrodectus. Additionally, we leverage VirusTotal with Argus’s incident response module to scan and automatically remove malware files from the infected endpoint.