Latrodectus Malware Distributed in Phishing Campaign

Threat investigators have uncovered a newly identified malware named Latrodectus, which has been distributed through email phishing campaigns since at least late November 2023.

Described as an emerging downloader with multiple features to evade detection in sandbox environments, Latrodectus is designed to fetch payloads and execute commands, as outlined in a recent joint analysis by researchers from Proofpoint and Team Cymru.

There are indications suggesting that the creators of Latrodectus are likely the same individuals responsible for developing the IcedID malware. This downloader is utilized by initial access brokers (IABs) to streamline the deployment of additional malware.

Latrodectus Linked to Two APTs

Latrodectus is predominantly associated with two distinct IABs known as TA577 (also referred to as Water Curupira) and TA578. TA577 has been previously connected to the dissemination of QakBot and PikaBot.

As of mid-January 2024, Latrodectus has been predominantly utilized by TA578 in email threat campaigns, sometimes transmitted via a DanaBot infection.

TA578, operational since at least May 2020, has been involved in email campaigns delivering various malware such as Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.

Mode of Infiltration

The attack methodology typically involves using contact forms on websites to send legal threats related to alleged copyright infringement to targeted entities. The embedded links direct recipients to a deceptive website, persuading them to download a JavaScript file responsible for initiating the main payload using msiexec.

Upon infection, Latrodectus sends encrypted system information to its command-and-control server (C2) and requests the download of the bot. After registering with the C2, it awaits commands from the server.

Latrodectus possesses capabilities to detect sandboxed environments by verifying the presence of a valid MAC address and a sufficient number of running processes on systems running Windows 10 or newer.

Similar to IcedID, Latrodectus submits registration information to the C2 server via a POST request, with the data encrypted and concatenated HTTP parameters. It then awaits further instructions from the server.

The commands issued to Latrodectus allow it to enumerate files and processes, execute binaries and DLL files, execute arbitrary directives via cmd.exe, update itself, and terminate running processes.

Further investigation into the attacker infrastructure reveals that the initial C2 servers became active on September 18, 2023, communicating with an upstream Tier 2 server established around August 2023.

The connection between Latrodectus and IcedID is evident from the fact that the Tier 2 server maintains connections with backend infrastructure linked to IcedID and employs jump boxes previously associated with IcedID operations.