Detecting and responding to Latrodectus malware with Wazuh

| by | Wazuh 4.9.0
Post icon

Latrodectus malware is a sophisticated malware loader that has emerged as a significant threat in recent cyberattacks targeting Windows operating systems. Latrodectus is designed to deliver payloads and execute arbitrary commands on infected systems. Its distribution has been linked to threat actors TA577 and TA578, who have employed it in various threat campaigns. It is believed to be closely associated with the notorious IcedID trojan, a widespread banking malware.

Latrodectus is typically distributed through phishing campaigns that deliver malicious attachments or links. Once executed, the malware connects with a command-and-control (C&C) server to receive further instructions and download programmed payloads.

This blog post explores how to use Wazuh to detect and respond to Latrodectus malware on Windows endpoints.

Behavioral analysis of Latrodectus malware

Latrodectus malware exhibits the following behaviors on an infected Windows endpoint.

  • Latrodectus replicates itself to a hidden system location on the infected Windows system %AppData%\falsify_steward\confrontation_98065856.exe.
  • The malware maintains persistence by creating a scheduled task  C:\Windows\System32\Tasks\anxiety. This action ensures the malware is executed after a system reboot.
  • It uses the DLL side-loading technique to execute its main component %AppData%\falsify_steward\confrontation_98065856.exe.
  • It attempts to connect with a command and control server for commands and exfiltration of stolen sensitive data.

Infrastructure

We use the following infrastructure to demonstrate the detection of Latrodectus malware with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.9.0: Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
  • A Windows 10 endpoint: The victim endpoint has Wazuh agent 4.9.0 installed and enrolled to the Wazuh server. Refer to the following guide to install the Wazuh agent.

Detection with Wazuh

We use the following techniques to detect the Latrodectus malware on an infected Windows endpoint:

  • Using detection rules to detect the Latrodectus malware activities.
  • Using the Wazuh incident response capability to scan and remove files with malicious patterns.

Detection rules

We use Sysmon to monitor several system events on the victim Windows endpoint and create rules on the Wazuh server to detect the malicious activities of Latrodectus.

Windows endpoint

Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs from the Windows endpoint to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Use PowerShell with administrator privilege to create a Sysmon folder in the C:\ folder:

> New-Item -ItemType Directory -Path C:\Sysmon

3. Extract the content of the compressed Sysmon file to the  C:\Sysmon folder:

> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"

Replace <PATH> with the path where the Sysmon.zip file was downloaded.

4. Download the Sysmon configuration file – sysmonconfig.xml to the C:\Sysmon folder using the PowerShell command below:

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml

5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:

> cd C:\Sysmon 
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Wazuh server

We create custom rules to generate alerts when Latrodectus malware activities are detected on the Windows endpoint. Perform the following steps to create detection rules on the Wazuh server.

1. Create a custom rule file latrodectus_rules.xml in the /var/ossec/etc/rules/ directory of the Wazuh server:

# touch /var/ossec/etc/rules/latrodectus_rules.xml

2. Add the custom rules for the Latrodectus malware below to the /var/ossec/etc/rules/latrodectus_rules.xml file:

<group name="latrodectus,">

<!-- Suspicious file creation -->
  <rule id="100900" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">\\Roaming\\falsify_steward\\.*exe</field>
    <description>$(win.eventdata.image) created the executable $(win.eventdata.targetFilename). Latrodectus malware activity detected.</description>
    <mitre>
      <id>T1204.002</id>
    </mitre>
  </rule>
  
<!-- Persistence detection --> 
  <rule id="100901" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">svchost.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">\\Windows\\System32\\Tasks\\anxiety</field>
    <description>New task creation detected $(win.eventdata.targetFilename). Latrodectus malware detected.</description>
    <mitre>
      <id>T1204.002</id>
      <id>T1547.001</id>
    </mitre>
  </rule>

<!-- Latrodectus executable Sideloading -->  
  <rule id="100902" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\Roaming\\falsify_steward\\.*exe</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">(?i)\\Roaming\\falsify_steward\\.*exe</field>
    <description>$(win.eventdata.image) executable loaded. Latrodectus malware detected.</description>
    <mitre>
      <id>T1073</id>
      <id>T1204.002</id>
    </mitre>
  </rule>

<!-- Outbound network connection --> 
  <rule id="100903" level="12" ignore="600">
    <if_sid>61605</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\Roaming\\falsify_steward\\.*exe</field>
    <field name="win.eventdata.destinationIp" type="pcre2">\d+.\d+.\d+.\d+</field>
    <description>Latrodectus malware related activity: Network connection to $(win.eventdata.destinationIp):$(win.eventdata.destinationPort) detected.</description>
    <mitre>
      <id>T1071</id>
    </mitre>
  </rule>

</group>

Where:

  • Rule ID 100900 is triggered when Latrodectus replicates itself in a hidden system location.
  • Rule ID 100901 is triggered when Latrodectus creates a scheduled task for persistence.
  • Rule ID 100902 is triggered when Latrodectus sideloads itself from a hidden location.
  • Rule ID 100903 is triggered when Latrodectus initiates a connection to a C2 server.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Visualizing alerts on the Wazuh dashboard

The alerts below are generated on the Wazuh dashboard when the Latrodectus malware is executed on the victim endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Filter for rule.id in the Field field.

3. Filter for is one of in the Operator field.

4. Filter for 100900, 100901, 100902, and 100903 in the Values field.

5. Click Save.

Latrodectus malware alerts
Figure 1: Latrodectus malware alerts on the Wazuh dashboard

Detecting and removing Latrodectus malware with VirusTotal and incident response

VirusTotal is a security platform that aggregates antivirus products and online scan engines. It offers an API that can be queried using URLs, IP addresses, domains, or file hashes to detect security threats. You can configure Wazuh to automatically send requests to the VirusTotal API with the hashes of files created or modified on monitored endpoints.

We configure the Wazuh File Integrity Monitoring (FIM) module and VirusTotal to detect and scan files added or modified in specific directories on the Windows endpoint. Furthermore, we configure the Wazuh incident response module to remove any files identified as malicious by VirusTotal.

Windows endpoint

Configure the Wazuh FIM module and create an active response script using the steps below.

Configuring the FIM module

1. Append the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent to monitor the intrusion of the Latrodectus malware file. In our case, we configure the FIM module to monitor the Downloads folder:

<ossec_config>
  <syscheck>
    <directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>
  </syscheck>
</ossec_config>

2. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Active response Python script configuration

We create an active response script to remove the Latrodectus malware when VirusTotal identifies it as a threat.

1. Download Python 3.12.6 and run the installer. Select the following checkboxes on the installer dialog box: 

  • Use admin privileges when installing py.exe.
  • Add Python.exe to PATH

2. Run the following command with administrative privilege to install Pyinstaller via PowerShell:

> pip install -U pyinstaller

3. Create an active response script remove-threat.py on the Windows endpoint with the following content:

#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
 
import os
import sys
import json
import datetime
 
if os.name == 'nt':
    LOG_FILE = "C:\Program Files (x86)\ossec-agent\active-response\active-responses.log"
else:
    LOG_FILE = "/var/ossec/logs/active-responses.log"
 
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
 
OS_SUCCESS = 0
OS_INVALID = -1
 
class message:
    def __init__(self):
        self.alert = ""
        self.command = 0
 
def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
 
def setup_and_check_message(argv):
 
    # get alert from stdin
    input_str = ""
    for line in sys.stdin:
        input_str = line
        break
 
 
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        message.command = OS_INVALID
        return message
 
    message.alert = data
 
    command = data.get("command")
 
    if command == "add":
        message.command = ADD_COMMAND
    elif command == "delete":
        message.command = DELETE_COMMAND
    else:
        message.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)
 
    return message
 
 
def send_keys_and_check_message(argv, keys):
 
    # build and send message with keys
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
 
    write_debug_file(argv[0], keys_msg)
 
    print(keys_msg)
    sys.stdout.flush()
 
    # read the response of previous message
    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
            break
 
    # write_debug_file(argv[0], input_str)
 
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return message
 
    action = data.get("command")
 
    if "continue" == action:
        ret = CONTINUE_COMMAND
    elif "abort" == action:
        ret = ABORT_COMMAND
    else:
        ret = OS_INVALID
        write_debug_file(argv[0], "Invalid value of 'command'")
 
    return ret
 
def main(argv):
 
    write_debug_file(argv[0], "Started")
 
    # validate json and get command
    msg = setup_and_check_message(argv)
 
    if msg.command < 0:
        sys.exit(OS_INVALID)
 
    if msg.command == ADD_COMMAND:
        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]
        action = send_keys_and_check_message(argv, keys)
 
        # if necessary, abort execution
        if action != CONTINUE_COMMAND:
 
            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                sys.exit(OS_SUCCESS)
            else:
                write_debug_file(argv[0], "Invalid command")
                sys.exit(OS_INVALID)
 
        try:
            os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
            write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
        except OSError as error:
            write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
           
       
    else:
        write_debug_file(argv[0], "Invalid command")
 
    write_debug_file(argv[0], "Ended")
 
    sys.exit(OS_SUCCESS)
 
if __name__ == "__main__":
    main(sys.argv)

4. Convert the Python script remove-threat.py to an executable file by running the command below:

> pyinstaller -F remove-threat.py

5. Move the executable file remove-threat.exe from the \dist folder under your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin.

6. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Wazuh server

We configure VirusTotal to scan the files monitored by the Windows endpoint against public malware engines for malicious behavior. Consequently, we configure the Wazuh active response module to automatically run the remove-threat executable when VirusTotal flags the scanned files as malicious.

VirusTotal configuration

1. Get your API key from the VirusTotal API key page.

2. Append the configuration below to the /var/ossec/etc/ossec.conf file to scan the files with VirusTotal:

<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
    <rule_id>554,550</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

Note: Replace the <API_KEY> with your VirusTotal API key.

Active response configuration
Append the following configuration to the /var/ossec/etc/ossec.conf file:
<ossec_config>

    <command>
        <name>remove-threat</name>
        <executable>remove-threat.exe</executable>
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <disabled>no</disabled>
        <command>remove-threat</command>
        <location>local</location>
        <rules_id>87105</rules_id>
    </active-response>

</ossec_config>
Add the following rules to the /var/ossec/etc/rules/local_rules.xml file to generate alerts when the active response module successfully removes the malicious files.
<group name="virustotal,">

<!-- VirusTotal detection rules -->

  <rule id="100204" level="12">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100205" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

Where:

  • Rule ID 100204 is triggered when the active response module successfully removes the threat.
  • Rule ID 100205 is triggered when the active response module fails to remove the threat.

3. Restart the Wazuh manager to apply configuration changes:

# systemctl restart wazuh-manager

Incident response result

To test the configuration, a sample of the Latrodectus malware is added to the Downloads folder on the victim Windows endpoint. Perform the following steps to view the detection and incident response alert on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then, filter for rule.id in the Field field.

3. Select is one of in the Operator field.

4. Filter for 553, 554, 87105, and 100204 in the Values field.

5. Click Save

Incident Response alerts
Figure 2: Incident response alerts on the Wazuh dashboard

Conclusion

This blog post shows how to detect and respond to Latrodectus malware on a Windows endpoint with Wazuh. We utilize Sysmon integration to enrich Windows event logs from the victim endpoint and then create rules to detect malicious activities associated with Latrodectus malware. We also combine VirusTotal with the Wazuh Incident response to scan and remove the malware file from the victim endpoint.

Wazuh is a free, open source enterprise-ready security platform for threat detection, incident response, and compliance. Wazuh integrates with third-party platforms. Wazuh also has a growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References