Cybersecurity researchers have identified a new loader named “Latrodectus,” discovered in November 2023, which has since been associated with nearly a dozen campaigns since February 2024.
This malware, described in an advisory published by Proofpoint last Thursday, was primarily utilized by actors identified as initial access brokers (IABs) and functions as a downloader with the intent to retrieve payloads and execute arbitrary commands.
Initially thought to be a variant of IcedID, subsequent analysis confirmed Latrodectus as a distinct malware, likely developed by the same creators as IcedID.
Latrodectus was first spotted in operations linked to TA577, a recognized distributor of Qbot. Subsequently, it became associated with TA578 in email-based threat campaigns starting from mid-January 2024. The prevalence of this malware surged in campaigns throughout February and March.
Read more on TA577: TA577 Exploits NTLM Authentication Vulnerability
The distribution methods varied, including the use of contact forms and legal threats regarding copyright infringement, demonstrating the versatility of Latrodectus in different attack vectors.
Analysis of Latrodectus revealed its dynamic resolution of Windows API functions, as well as checks for debuggers and persistence installation attempts. It communicates with command-and-control servers (C2) to receive further instructions and employs various evasion techniques to avoid detection.
Further scrutiny of Latrodectus infrastructure by Team Cymru identified tiered C2 servers and patterns in their setup and lifespans, shedding light on the malware’s operational dynamics. Similarities in infrastructure choices and operator activities between Latrodectus and IcedID suggest the aforementioned connection between the two operations.
“There are many signs pointing to Lactrodectus being developed by the same threat actors who created IcedID. This results in Lactrodectus and IcedID sharing many similarities, such as the way they communicate to their C2, and even commands such as ‘cmd_run_icedid’ that downloads and runs bp.dat (IcedID bot),” commented Adam Neel, threat detection engineer at Critical Start.
“It is becoming clear that Lactrodectus isn’t too different from IcedID, but it does demonstrate sandbox evasion tactics not utilized by previous IcedID loaders.”
Additionally, researchers noted a change in the string decryption routine in Latrodectus samples, suggesting ongoing development. Meanwhile, the identification of campaign ID patterns in IcedID by Proofpoint researchers provided insights into threat actor activities and aided in confident attribution.
“Proofpoint anticipates Latrodectus will become increasingly used by threat actors across the landscape, especially by those who previously delivered IcedID,” reads the advisory.
“Given its use by threat actors assessed to be initial access brokers, defenders are encouraged to understand the tactics, techniques, and procedures (TTPs) exhibited by the malware and associated campaigns.”
The team also highlighted that the malware’s inclination towards sandbox evasion aligns with broader trends in the cybercrime landscape, indicating a persistent challenge for cybersecurity professionals.