Latrodectus File Creation

# Rule : Detection of Suspicious MSI and DLL Activity Associated with Latrodectus Malware ## Description This detection rule identifies suspicious file and process activities that could be indicative of Latrodectus malware or similar threats. The query monitors for specific file paths, particularly MSI files and the `aclui.dll`, often used in malicious contexts, in combination with `msiexec` or `rundll32` processes. Latrodectus malware, as described in recent analyses, leverages these files and processes to execute payloads and achieve persistence on infected systems. Latrodectus is a sophisticated malware family known for its ability to evade detection and deliver various payloads, including information stealers and ransomware. This rule is designed to detect the early stages of Latrodectus infection, focusing on suspicious file creations and process executions that are not typically associated with legitimate software installations or updates. - [Latrodectus Malware Analysis](https://blog.krakz.fr/articles/latrodectus/) ## Detection Logic - Monitors `DeviceFileEvents` for events where: - The `FolderPath` contains any of the following suspicious files: - `"aclui.dll"`, - `"Roaming\\capisp"`, - `"temp\\vpn.msi"`, - `"neuro.msi"`, - `"bst.msi"`, - `"aes256.msi"`, - `"neo.msi"`, - `"bim.msi"`, - `"WSC.msi"`. - The `InitiatingProcessCommandLine` includes `"msiexec"` or `"rundll32"`. ## Tags - Latrodectus Malware - Suspicious MSI Activity - DLL Hijacking - Process Execution - MITRE ATT&CK T1059 (Command and Scripting Interpreter) - Persistence - Suspicious Activity ## Search Query ```kql DeviceFileEvents | where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi") | where InitiatingProcessCommandLine has_any("msiexec", "rundll32")

Explanation

Summary of the Query

This query is designed to detect suspicious activities that might indicate the presence of Latrodectus malware on a system. Specifically, it looks for:

Suspicious File Paths: The query monitors for the creation or modification of certain files and directories that are commonly associated with malicious activity. These include:
- aclui.dll
- Files in the Roaming\capisp directory
- MSI files in the temp directory, such as vpn.msi, neuro.msi, bst.msi, aes256.msi, neo.msi, bim.msi, and WSC.msi
Suspicious Processes: It also checks if these files are being accessed or manipulated by processes that are often used in malicious contexts, specifically:
- msiexec (Microsoft Installer)
- rundll32 (a utility that runs DLLs)

Purpose

The goal is to identify early signs of Latrodectus malware infection by detecting unusual file and process activities that are not typically associated with legitimate software installations or updates. This helps in catching the malware before it can execute its payloads or establish persistence on the system.

Tags and Context

Latrodectus Malware: A sophisticated malware family known for evading detection and delivering harmful payloads.
Suspicious MSI Activity: Monitoring MSI files that could be used maliciously.
DLL Hijacking: Detecting potential DLL hijacking attempts.
Process Execution: Observing the execution of potentially harmful processes.
MITRE ATT&CK T1059: Relates to the use of command and scripting interpreters for malicious purposes.
Persistence: Identifying methods used by malware to maintain a foothold on the system.
Suspicious Activity: General monitoring for activities that deviate from normal behavior.

KQL Search Query

The KQL (Kusto Query Language) query used for detection is:

DeviceFileEvents
| where FolderPath has_any ("aclui.dll", "Roaming\\capisp", "temp\\vpn.msi", "neuro.msi", "bst.msi","aes256.msi","neo.msi","bim.msi","WSC.msi") 
| where InitiatingProcessCommandLine has_any("msiexec", "rundll32")

This query filters DeviceFileEvents to find events where the FolderPath contains any of the specified suspicious files and the InitiatingProcessCommandLine includes either msiexec or rundll32.

KQL Search