View Categories

Detecting and responding to Latrodectus malware

15 min read

Latrodectus is an advanced malware loader that poses a serious threat to Windows systems. It is associated with threat actors TA577 and TA578, as well as the IcedID banking trojan. Typically distributed via phishing campaigns, it delivers malicious attachments or links that, once executed, allow the malware to connect with a command-and-control (C&C) server. On infected systems, Latrodectus copies itself to a hidden directory (%AppData%\falsify_steward\confrontation_98065856.exe) and establishes persistence by creating a scheduled task (C:\Windows\System32\Tasks\anxiety) to ensure it runs after system reboots. The malware also uses DLL side-loading to execute its main component and communicates with the C&C server to receive commands and exfiltrate stolen data. This explains how Argus can be utilized to detect and mitigate Latrodectus malware on Windows endpoints.

REQUIREMENTS

  • Argus server or Argus manager
  • A windows victim endpoint with Argus agent installed

DETECTION CRITERIA

Use Sysmon to monitor several system events on the victim Windows endpoint and create rules on the Argus server to detect the malicious activities of Latrodectus.

Windows endpoint

Steps to configure the Sysmon on the endpoint and forward logs in the Sysmon event channel to Argus server for analysis

  1. Download Sysmon from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
  2. Extract the compressed Sysmon file to your location
  3. By using Powershell download the Sysmon Configuration file-sysmonconfig.xml. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

  • Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

  • Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Argus server:

<localfile>

    <location>Microsoft-Windows-Sysmon/Operational</location>

    <log_format>eventchannel</log_format>

</localfile>

  • Restart the Argus agent

Restart-Service -Name wazuh

Argus server

We create custom rules to generate alerts when the Latrodectus malware activities are detected on the windows endpoint.

Steps to create detection rules on the Argus server

1. Add the custom rules for the Latrodectus malware below to the /var/ossec/etc/rules/latrodectus_rules.xml file:

<group name=”latrodectus,”>

<!– Suspicious file creation –>

  <rule id=”100900″ level=”12″>

    <if_sid>61613</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>(?i)\\\\.+(exe|dll|bat|msi)</field>

    <field name=”win.eventdata.targetFilename” type=”pcre2″>\\\\Roaming\\\\falsify_steward\\\\.*exe</field>

    <description>$(win.eventdata.image) created the executable $(win.eventdata.targetFilename). Latrodectus malware activity detected.</description>

    <mitre>

          <id>T1204.002</id>

    </mitre>

  </rule>

<!– Persistence detection –>

  <rule id=”100901″ level=”12″>

    <if_sid>61613</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>svchost.exe</field>

    <field name=”win.eventdata.targetFilename” type=”pcre2″>\\\\Windows\\\\System32\\\\Tasks\\\\anxiety</field>

    <description>New task creation detected $(win.eventdata.targetFilename). Latrodectus malware detected.</description>

    <mitre>

         <id>T1204.002</id>

      <id>T1547.001</id>

    </mitre>

  </rule>

<!– Latrodectus executable Sideloading –> 

  <rule id=”100902″ level=”12″>

    <if_sid>61609</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>(?i)\\\\Roaming\\\\falsify_steward\\\\.*exe</field>

    <field name=”win.eventdata.imageLoaded” type=”pcre2″>(?i)\\\\Roaming\\\\falsify_steward\\\\.*exe</field>

    <description>$(win.eventdata.image) executable loaded. Latrodectus malware detected.</description>

    <mitre>

          <id>T1073</id>

          <id>T1204.002</id>

    </mitre>

  </rule>

<!– Outbound network connection –>

  <rule id=”100903″ level=”12″ ignore=”600″>

    <if_sid>61605</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>(?i)\\\\Roaming\\\\falsify_steward\\\\.*exe</field>

    <field name=”win.eventdata.destinationIp” type=”pcre2″>\d+.\d+.\d+.\d+</field>

    <description>Latrodectus malware related activity: Network connection to $(win.eventdata.destinationIp):$(win.eventdata.destinationPort) detected.</description>

    <mitre>

          <id>T1071</id>

    </mitre>

  </rule>

</group>

MONITORING THE ALERTS

The below alerts are generated on the Argus dashboard when Latrodectus malware is executed on the endpoint.

Steps to view the a;erts on Argus dashboard

1.       Navigate to Threat Hunting > Events

2.       Click on Add filter

3.       Filter for rule.id in the Field

4.       Filter for is one of Operator and give 100900, 100902 in the Values  field

5.       Click on Save

Rule ID 100900 is triggered when Latrodectus replicates itself in a hidden system location.

Rule ID 100902 is triggered when Latrodectus sideloads itself from a hidden location.

DETECTING AND REMOVING LATRODECTUS MALWARE WITH VIRUSTOTAL AND INCIDENT RESPONSE

VirusTotal is a security platform that combines antivirus engines and online scanning tools. It provides an API for checking URLs, IP addresses, domains, or file hashes for potential security threats. Argus can be configured to automatically query the VirusTotal API with the hashes of files created or modified on monitored endpoints.

To enhance threat detection, we configure the Argus File Integrity Monitoring (FIM) module to track and scan files added or modified in specific directories on Windows endpoints. Additionally, the Argus incident response module is set up to automatically remove files flagged as malicious by VirusTotal, ensuring prompt mitigation of potential threats.

Windows endpoint

Configure Argus FIM module and create an active response script

Configuring FIM module steps includes:

1.Append the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Argus agent to monitor the intrusion of the Latrodectus malware file. In our case, we configure the FIM module to monitor the Downloads folder:

<ossec_config>

      <syscheck>

 <directories check_all=”yes”   realtime=”yes”>C:\Users\*\Downloads</directories>

       </syscheck>

</ossec_config>

2.Restart the Argus agent by running the Powershell commands as an administrator.

Restart-Service -Name wazuh

Active response Python script configuration steps includes:

We create an active response script to remove the Latrodectus malware when VirusTotal identifies it as a threat.

1.Download Python 3.12.6 and run the installer. Select the following checkboxes on the installer dialog box:

  • Use admin privileges when installing py.exe.
  • Add Python.exe to PATH.

2.Run the following command with administrative privilege to install Pyinstaller via PowerShell:

 >>   pip install -U pyinstaller

3.Create an active response script remove-threat.py on the Windows endpoint with the following content:

#!/usr/bin/python3

# Copyright (C) 2015-2022, Wazuh Inc.

# All rights reserved.

import os

import sys

import json

import datetime

if os.name == ‘nt’:

    LOG_FILE = “C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log”

else:

    LOG_FILE = “/var/ossec/logs/active-responses.log”

ADD_COMMAND = 0

DELETE_COMMAND = 1

CONTINUE_COMMAND = 2

ABORT_COMMAND = 3

OS_SUCCESS = 0

OS_INVALID = -1

class message:

    def __init__(self):

        self.alert = “”

        self.command = 0

def write_debug_file(ar_name, msg):

    with open(LOG_FILE, mode=”a”) as log_file:

        log_file.write(str(datetime.datetime.now().strftime(‘%Y/%m/%d %H:%M:%S’)) + ” ” + ar_name + “: ” + msg +”\n”)

def setup_and_check_message(argv):

    # get alert from stdin

    input_str = “”

    for line in sys.stdin:

        input_str = line

        break

    try:

        data = json.loads(input_str)

    except ValueError:

        write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)

        message.command = OS_INVALID

        return message

    message.alert = data

    command = data.get(“command”)

    if command == “add”:

        message.command = ADD_COMMAND

    elif command == “delete”:

        message.command = DELETE_COMMAND

    else:

        message.command = OS_INVALID

        write_debug_file(argv[0], ‘Not valid command: ‘ + command)

    return message

def send_keys_and_check_message(argv, keys):

    # build and send message with keys

    keys_msg = json.dumps({“version”: 1,”origin”:{“name”: argv[0],”module”:”active-response”},”command”:”check_keys”,”parameters”:{“keys”:keys}})

    write_debug_file(argv[0], keys_msg)

    print(keys_msg)

    sys.stdout.flush()

    # read the response of previous message

    input_str = “”

    while True:

        line = sys.stdin.readline()

        if line:

            input_str = line

            break

    # write_debug_file(argv[0], input_str)

    try:

        data = json.loads(input_str)

    except ValueError:

        write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)

        return message

    action = data.get(“command”)

    if “continue” == action:

        ret = CONTINUE_COMMAND

    elif “abort” == action:

        ret = ABORT_COMMAND

    else:

        ret = OS_INVALID

        write_debug_file(argv[0], “Invalid value of ‘command'”)

    return ret

def main(argv):

    write_debug_file(argv[0], “Started”)

    # validate json and get command

    msg = setup_and_check_message(argv)

    if msg.command < 0:

        sys.exit(OS_INVALID)

    if msg.command == ADD_COMMAND:

        alert = msg.alert[“parameters”][“alert”]

        keys = [alert[“rule”][“id”]]

        action = send_keys_and_check_message(argv, keys)

        # if necessary, abort execution

        if action != CONTINUE_COMMAND:

            if action == ABORT_COMMAND:

                write_debug_file(argv[0], “Aborted”)

                sys.exit(OS_SUCCESS)

            else:

                write_debug_file(argv[0], “Invalid command”)

                sys.exit(OS_INVALID)

        try:

            os.remove(msg.alert[“parameters”][“alert”][“data”][“virustotal”][“source”][“file”])

            write_debug_file(argv[0], json.dumps(msg.alert) + ” Successfully removed threat”)

        except OSError as error:

            write_debug_file(argv[0], json.dumps(msg.alert) + “Error removing threat”)

    else:

        write_debug_file(argv[0], “Invalid command”)

    write_debug_file(argv[0], “Ended”)

    sys.exit(OS_SUCCESS)

if __name__ == “__main__”:

    main(sys.argv)

4.Convert the Python script remove-threat.py to an executable file by running the command below:

 >> pyinstaller -F remove-threat.py

5.Move the executable file remove-threat.exe from the \dist folder under your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin.

6.Restart the Argus agent to apply the changes by running the following PowerShell command as an administrator

>> Restart-Service -Name wazuh

Argus server

We configure VirusTotal to scan files monitored on Windows endpoints against public malware engines for signs of malicious behavior. If VirusTotal identifies a file as malicious, the Argus active response module is set to execute the remove-threat command to eliminate the threat automatically.

VirusTotal Configuration

1.Get your API key

2.Append the configuration below to the /var/ossec/etc/ossec.conf file to scan the files with VirusTotal:

  <ossec_config>

  <integration>

    <name>virustotal</name>

    <api_key><API_KEY></api_key> <!– Replace with your VirusTotal API key –>

    <rule_id>554,550</rule_id>

    <alert_format>json</alert_format>

  </integration>

</ossec_config>

Note: Replace the <API_KEY> with your VirusTotal API key.

Active response configuration

Append the following configuration to the /var/ossec/etc/ossec.conf file:

<ossec_config>

    <command>

        <name>remove-threat</name>

        <executable>remove-threat.exe</executable>

        <timeout_allowed>no</timeout_allowed>

    </command>

    <active-response>

        <disabled>no</disabled>

        <command>remove-threat</command>

        <location>local</location>

        <rules_id>87105</rules_id>

    </active-response>

</ossec_config>

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file to generate alerts when the active response module successfully removes the malicious files.

<group name=”virustotal,”>

<!– VirusTotal detection rules –>

  <rule id=”100204″ level=”12″>

    <if_sid>657</if_sid>

    <match>Successfully removed threat</match>

    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

  <rule id=”100205″ level=”12″>

    <if_sid>657</if_sid>

    <match>Error removing threat</match>

    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

</group>

3. Restart the Argus manager

>> systemctl restart wazuh-manager

INCIDENT RESPONSE RESULT

To test the configuration, a sample of the Latrodectus malware is added to the Downloads folder on the victim Windows endpoint. Perform the following steps to view the detection and incident response alert on the Argus dashboard.

1.       Navigate to Threat Hunting > Events

2.       Click on Add filter

3.       Filter for rule.id in the Field

4.       Filter for  553, 554 in the Values field

5.       Click on Save

CONCLUSION

This use case demonstrates how to use Argus to detect and respond to Latrodectus malware on a Windows endpoint. By integrating Sysmon, we enhance Windows event logs from the affected endpoint and create detection rules for malicious activities linked to Latrodectus. Additionally, we leverage VirusTotal with Argus’s incident response module to scan and automatically remove malware files from the infected endpoint.

Leave a Reply

Your email address will not be published. Required fields are marked *