Malware Threat Intelligence Notes - October / 2

Our biweekly newsletter is designed to bring you the most relevant updates. By focusing on malware and in-depth threat analysis, we aim to provide you with the latest insights, tools and research to keep you ahead of the curve. Expect concise, actionable insights to support your efforts.

Let's dive in!

Latrodectus: Version Updates and Stealthy Evasion Methods Unveiled

VMRay's latest Malware Spotlight Report highlights the rise of Latrodectus, a malware emerging as the successor to the infamous IcedID loader, which was taken down in May 2024 through an international operation led by Europol. Since the takedown, Latrodectus has evolved, with the most recent version (v1.8) compiled in late September 2024. The malware employs advanced evasion techniques, such as process count checks, MAC address validation, debugging detection via the BeingDebugged flag, and WOW64 process checks.

Over the past year, it has also refined its string encryption, showcasing its continued evolution in the cybercriminal ecosystem. For CTI teams, this is crucial because it highlights how cybercriminals are quickly adapting post-IcedID, refining their tools and techniques to evade detection. Keeping an eye on these developments helps anticipate future threats and improve defensive strategies.?

https://www.vmray.com/latrodectus-a-year-in-the-making/

EDRSilencer Tool Repurposed by Actors to Block EDR Tools

The Trend Micro Threat Hunting Team has observed the misuse of EDRSilencer, originally a red team tool, now being actively deployed by threat actors. EDRSilencer blocks communication for a wide range of EDR tools via the Windows Filtering Platform (WFP), making malware harder to detect and remove.

Its ability to block nearly all EDR solutions highlights the urgent need for vendors to strengthen their detection mechanisms against such tactics. This tool's repurposing demonstrates how easily offensive tools can be turned against defenders.

https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html

New Octo2 Trojan Elevates Mobile Threat Landscape with DGA Obfuscation

The Octo2 malware, a new version of the prolific Android banking trojan Octo (ExobotCompact), has been released following the leak of its original source code. Octo2 features enhanced RAT stability, improved anti-analysis techniques, and now leverages a domain generation algorithm (DGA) for C2 communication, making it harder to track and block.

As highlighted by DomainTools researchers, the use of a DGA adds an extra layer of obfuscation, a tactic increasingly seen in the Malware-as-a-Service (MaaS) landscape. This mirrors techniques used in major attacks like SolarWinds, where DGAs played a key role in evading detection. With global distribution likely in the coming year, Octo2 represents a significant threat to Android devices.?

https://www.domaintools.com/resources/blog/uncovering-octo2-domains/

Mandiant Report Highlights Growing Pressure to Adapt to Rapid Exploits

Google Mandiant's latest report analyzes 138 vulnerabilities exploited in the wild in 2023, with 97 of them exploited as zero-days. The number of exploited vendors continues to grow, marking a 17% increase compared to the previous high in 2021. Notably, the Time-to-Exploit (TTE) for vulnerabilities has significantly dropped—from an average of 63 days just a few years ago to only five days in 2023.

This rapid exploitation rate is pushing defenders to adapt detection and response strategies in real time, and it makes patching prioritization more challenging as n-days are exploited faster and across more products.

https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023

FREE FROM COMMUNITY?

The EDR Telemetry Project is a new open-source tool designed to help organizations and security professionals compare telemetry data from various EDR vendors, highlighting potential visibility gaps. By visualizing these differences, the project aims to aid in making informed decisions when selecting EDR solutions. Created and maintained by Kostas T. (@kostastsale on X), the project is open for community contributions. For more information or to get involved, you can visit the GitHub repository linked below. This resource is particularly valuable for improving threat detection capabilities across different EDR platforms.

https://github.com/tsale/edr-telemetry-website

Latest Picks from VMRay Threat Feed?

Sandbox reports with IOCs, behaviors & malware configurations

Lumma Stealer: https://www.vmray.com/analyses/ac4109669580/report/overview.html

Latrodectus: https://www.vmray.com/analyses/fd4b6e419691/report/overview.html

Stealc: https://www.vmray.com/analyses/355be923f641/report/overview.html

Agent Tesla: https://www.vmray.com/analyses/a8ddfaf81721/report/overview.html

CobaltStrike: https://www.vmray.com/analyses/600384ff7d1b/report/overview.html

RedLine Stealer: https://www.vmray.com/analyses/8796a2213283/report/overview.html

SmokeLoader: https://www.vmray.com/analyses/444a1f454014/report/overview.html

Remcos RAT: https://www.vmray.com/analyses/36ed24fd100d/report/overview.html