Malware Write-up Latrodectus v1.4
Table of Contents
Overview⌗
Welcome to the first entry in a series of write-ups where I’ll be reverse engineering and analyzing different pieces of malware. I am a Computer Science student learning reverse engineering and malware analysis in my free time. To practice both my analysis and technical write-up skills, I am starting this series. Each post will dive into the details of a specific piece of malware, exploring how it operates. Today, we’re starting with Latrodectus, which is a Remote Access Trojan (RAT). Latrodectus is not the first malware sample I have analyzed, but it is the most advanced so far, which is why I wanted to start the series with this sample.
Latrodectus, first seen in October 2023, is a relatively advanced piece of malware (for me). Version 1.4, which I am analyzing, has AES-encrypted strings and dynamically resolves the Windows APIs it uses. Moreover, Latrodectus can perform several different actions, such as downloading & executing files, executing shellcode, listing files and dropping other malicious files.
In this post, I will first analyze the ‘general’ file information retrievable without any reverse engineering. Then, I will go into how Latrodectus resolves the APIs it needs to function. After this, I will explain how it (rather poorly) tries to evade sandboxes and/or debugging by malware analysts. Next, I will tackle the string encryption and, more importantly, how I managed to decrypt all strings and make them visible in Ghidra (with some help from OALabs). Then, I’ll dive into how Latrodectus achieves persistence and how their C2 process works. Lastly, I’ll list and analyze the different capabilities this version of Latrodectus offers and provide a YARA rule for detection purposes.
For anyone interested in taking a look at this Latrodectus sample themselves, I retrieved it from Unpacme.
General file information⌗
Hashes⌗
==================================================
Filename : latrodectus.bin
Filesize : 70144 bytes
MD5 : 58e3fdda803852666f535b132e6a8160
SHA1 : 34550c1402b823b5cf3bc7edfeec0cc00cb6a953
CRC32 : 550e7372
SHA-256 : 5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8
SHA-512 : 90ee1949a0cb79ee9ea20351f15fe2d27c8c171e398f01e42849e2cba6a9531cf792757f7fec6aeaea5b3a5e7198e3f875ab702275541acbcd420d46c1a9ba2a
SHA-384 : 47e8f507d01b7c50285fcb3f5c58308df05d37a764016a4717d6762fee59763b80a904d50bd4ff74e186258c42874002
Imphash (MD5) : db7aeb75528663639689f852fd366243
==================================================
My first step is always to obtain the different hashes for a given sample. I use different tools, like PEStudio and Hasher to do this. In the case, the Imphash is particularly interesting. After I finished with the bulk of the reverse engineering work, I did a Pivot search on Unpacme and pivoting on this Imphash unearthed links to a large number of other Latrodectus samples of this version. I confirmed these were Latrodectus samples by using my own YARA rule and the fact that the URLs these samples contact all follow the same pattern.
Detect it Easy (DiE)⌗
PE64
Operation system: Windows(Vista)[AMD64, 64-bit, GUI]
Linker: Microsoft Linker(14.00.24247)
Compiler: Microsoft Visual C/C++(19.00.24247)[C]
Language: C
Tool: Visual Studio(2015)
Next, I always throw a malware sample into DiE to see some basic information about the binary. In this case, it revealed it was probably a simple C binary, so luckily no weird Rust/Go stuff (Which I am still interested to learn about though).
Imports⌗
| DLL | Functions |
|---|---|
| KERNEL32.DLL | CreateMutexW, PeekNamedPipe, GetLastError |
| USER32.DLL | MessageBeep, MessageBoxA |
I then used DiE to take a look at the functions this binary natively imports. I was quite surprised to see only 5 functions, but this immediately alerted me that I needed to look for dynamic API resolving when reverse engineering. This is because there is no way to build a RAT, or any piece of malware with these imports.