Threat trackers discover a new malware thief This information has been distributed as part of email phishing campaigns since at least late November 2023.
“Latrodectus is an emerging downloader with various sandbox evasion capabilities,” researchers from Proofpoint and Team Cymru said in a joint analysis published last week, adding that it is designed to retrieve payloads and execute them. Any command.
There is evidence that this malware was likely written by the same threat actor behind the IcedID malware, an Initial Access Broker (IAB) that uses downloaders to facilitate the deployment of other malware.
Latrodectus is primarily associated with two different IABs tracked by Proofpoint, TA577 (also known as Water Curupira) and TA578, with the former also associated with the distribution of QakBot and PikaBot.
As of mid-January 2024, TA578 is using it almost exclusively in email threat campaigns, in some cases delivered via DanaBot infections.
TA578 is known to have been active since at least May 2020 and has been associated with email-based Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike and Bumblebee campaigns.
The attack chain utilizes a contact form on the website to send legal threats to the target organization regarding alleged copyright infringement. Links embedded in the messages direct recipients to a fake website, tricking them into downloading a JavaScript file that is responsible for launching the main payload using msiexec.
“Latrodectus publishes encrypted system information to a command and control server (C2) and requests the robot to be downloaded,” the researchers said. “Once the robot registers with the C2, it sends a command request to the C2.”
It also has the ability to detect if a host is running in a sandbox environment by checking if it has a valid MAC address and at least 75 running processes on a system running Windows 10 or higher.
As is the case with IcedID, Latrodectus aims to pass the registration information in a POST request to the C2 server, where the fields are HTTP parameters strung together and encrypted, and then wait for further instructions from the server.
These commands allow the malware to enumerate files and processes, execute binaries and DLL files, run arbitrary commands via cmd.exe, update bots, and even shut down running processes.
Further examination of the attacker’s infrastructure revealed that the first C2 servers were launched on September 18, 2023. These servers are in turn configured to communicate with upstream Tier 2 servers set up around August 2023.
Latrodectus’ connection to IcedID originates from the T2 server “maintaining connectivity to the IcedID-related backend infrastructure” and the use of a jumper box previously associated with IcedID operations.
“Latrodectus will increasingly be used by financially motivated threat actors in the criminal sector, particularly those who have previously distributed IcedID,” the Cymru team assessed.
