Latrodectus is a new strain of malware recently discovered by threat researchers. It has been distributed through email phishing campaigns since at least late November 2023.

In a recent collaborative analysis by experts from Proofpoint and Team Cymru, it was revealed that Latrodectus functions as a developing downloader equipped with various sandbox evasion capabilities. Additionally, it is designed to retrieve payloads and execute random commands.

From the available data, it seems that this downloader was crafted by the same threat actors behind the IcedID virus. Initial access brokers (IABs) utilize this downloader to facilitate the distribution of other forms of malware.

Latrodectus has primarily been linked to two distinct Initial Access Brokers (IABs) closely monitored by Proofpoint, identified as TA577 (also known as Water Curupira) and TA578. The former has also been associated with the spread of QakBot and PikaBot.

Cyber Security Programs: Your First Step Towards a Secure Future

As of mid-January 2024, Latrodectus has been predominantly utilized by TA578 in email threat campaigns. In some instances, it has been disseminated using a DanaBot infection.

TA578 has been linked to email-based campaigns responsible for distributing various malware strains, including Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee. Its activity has been documented since at least May 2020.

Threat actors leverage online forms in these attack chains to intimidate targeted organizations with legal threats, alleging copyright violations. The emails typically contain links directing recipients to counterfeit websites. Once there, unsuspecting victims are prompted to download a JavaScript file, which then utilizes msiexec to execute the primary payload.

According to the investigators, “Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot. “Once the bot registers with the C2, it sends requests for commands from the C2.”

Additionally, it may assess whether the system is running in a sandbox environment by checking for a functioning MAC address and ensuring that, on Windows 10 or later systems, there are at least 75 active processes.

Similar to IcedID, Latrodectus is designed to transmit registration data via a POST request to the C2 server. The information is encrypted, with the fields forming concatenated HTTP parameters. Following this transmission, it waits for the server to furnish further instructions.

The commands empower the malware to list all files and processes, execute DLL files and binaries, update the bot, execute arbitrary commands using cmd.exe, and terminate running processes.

Further investigation into the attacker’s infrastructure reveals that the initial C2 servers were activated on September 18, 2023. Moreover, these servers are configured to communicate with an upstream Tier 2 server, which was established in August 2023.

The Tier 2 (T2) server “maintains connections with backend infrastructure linked to IcedID” and employs jump boxes previously utilized in IcedID operations. This connection elucidates how Latrodectus is associated with IcedID.

Following a law enforcement operation that neutralized QakBot in late August 2023, threat actors transitioned to utilizing DarkGate, Latrodectus, and PikaBot over the following months. However, as of December, the malware continued to be employed in low-volume campaigns, with indications pointing to the active development of a new variant of the botnet.

“Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID,” Team Cymru said.

SOURCE