2024-10-30 EclecticIQ: Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Key technical observations include:

Malvertising and SEO Poisoning: Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution). This method exemplifies advanced evasion tactics to bypass detection.

Command and Control (C2) Infrastructure:

BRc4 communicates with multiple C2 domains, such as bazarunet[.]com and tiguanin[.]com, allowing remote access and command execution on compromised systems.

Persistent infrastructure overlaps include SSL certificates with issuer fields "AU," "Some-State," and "Internet Widgits Pty Ltd," frequently linked to LUNAR SPIDER’s IcedID operations. Additionally, ASN 395092 (SHOCK-1) consistently hosts both IcedID and Latrodectus campaigns, indicating a shared resource pool across malware families.

The BRc4 payload modifies the Windows registry, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence across reboots.

Intelligence indicates LUNAR SPIDER shares infrastructure and malware services with other groups like ALPHV/BlackCat and WIZARD SPIDER. For instance, domains such as peronikilinfer[.]com and jkbarmossen[.]com were both hosted on IP 173[.]255[.]204[.]62, serving as C2s for IcedID and Latrodectus, respectively.

This infrastructure overlap, along with passive DNS correlations, suggests tight operational ties and indicates LUNAR SPIDER’s role as a critical access broker for ransomware operators.

The Document-16-32-50.js script was obfuscated to evade detection. Analysts de-obfuscated the script, revealing its function to download and execute the MSI payload from 45[.]14[.]244[.]124/dsa.msi. The script checks for Windows installer processes (WindowsInstaller.Installer) and contains specific drive checks (i < drives.length) for execution control flow.