Lunar Spider, a Russian cybercriminal group, has expanded its initial access methods by compromising vulnerable websites with CORS vulnerabilities, particularly in Europe. The group injects these sites with a FakeCaptcha framework that includes victim monitoring capabilities. The infection chain involves an MSI downloader containing a legitimate Intel executable and a malicious DLL called Latrodectus. The MSI registers the Intel EXE in the Run registry key and sideloads the Latrodectus DLL through DLL search order hijacking. Latrodectus V2 then communicates with its command-and-control server and executes further enumeration commands. The blog provides detailed analysis of the attack chain, including the FakeCaptcha framework, MSI loader, and Latrodectus configuration, as well as detection opportunities and indicators of compromise. Author: AlienVault
Related Tags:
fakecaptcha
Unidentified 111
IceNova
Latrodectus – S1160
T1553.002
T1584.006
LATRODECTUS
IcedID – S0483
T1059.007
Associated Indicators:
1758A2BBEBAB26B9AE6BC9D15B0ED6C9E1859F9A617864CB5ACC6FB8C77AADDB
BE5BCDFC0DBE204001B071E8270BD6856CE6841C43338D8DB914E045147B0E77
321D0AC7A683EB4C5A28D54F751F229C314280014985CE514FAC3FACA7D3829F
6147F86E79BDCBAE37E724ADA941C5129B8EF904FC9E3C498A3923C69937D99C
78E2CDE1AA394ED90A172AC8ADB3F0E8C6F0297607AD117977E3A4B112667ED3
63DEDB2C4BB010F634907D375BA85F208FB1493261E7F42E0523D81697B430C1
ED9A9C8BD1F07E684D26F8C3D5C08A147C21BF04490941C28FE5EE4D3A1C9F1E
36066CC93E5AA0977439B6769705EDC01967B174584CBB283E98DFEF1582CC7E
631F88A97CD1F096D9D923538E299B12E1F441895E31ADA5B522E80C8DA84777