This article discusses a Latrodectus loader that employs junk comments and WMI commands to obfuscate its functionality and download a remote .msi file. The process unfolds in three stages, revealing how the malware is concealed within a seemingly innocuous script. Affected: Malware, JavaScript files, Cybersecurity sector
Keypoints :
- The Latrodectus loader uses junk comments and WMI commands for obfuscation.
- The initial sample was found on Malware Bazaar, uploaded by pr0xylife.
- The original script is 845KB, indicating potential heavy obfuscation.
- Regular expressions can clean up junk comments, revealing functional code.
- The script executes commands from its own comments and attempts to map network drives.
- The malware executes an upd.msi file using msiexec.exe after mapping the network drive.
- Detection opportunities involve monitoring process creation logs for suspicious WMI commands.
MITRE Techniques :
- T1059.001 (JavaScript): The malware uses obfuscated JavaScript code to perform its operations.
- T1086 (PowerShell): Utilizes WMI commands to execute malware processes.
- T1071.001 (Application Layer Protocol: Web Protocols): Interacts with external servers to download files.
- T1046 (Network Service Discovery): Attempts to discover network drives and map them for further malicious activity.
- T1203 (Exploitation for Client Execution): Initiates the execution of an msi file on the system.
Indicator of Compromise :
- [SHA256] 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
- [Domain] sokingscrosshotel[.]com
Full Story: https://www.embeeresearch.io/latrodectus-script-deobfuscation/