Recently uncovered by vigilant threat trackers, a novel malware dubbed Latrodectus has surfaced within email phishing endeavors, dating back to the latter months of 2023.
According to a collaborative scrutiny by researchers affiliated with Proofpoint and Team Cymru, Latrodectus emerges as a burgeoning downloader, exhibiting multifaceted techniques to dodge sandbox detection mechanisms. The report highlights its primary function: procuring payloads and executing arbitrary directives.
Indications strongly imply a connection between Latrodectus and the nefarious actors responsible for the notorious IcedID malware. These operators, identified as initial access brokers (IABs), exploit Latrodectus to streamline the proliferation of other malicious software.
The primary perpetrators, identified as TA577 (or Water Curupira) and TA578, are the focal points of investigation. TA577, in addition to its association with Latrodectus, has been linked to the dissemination of QakBot and PikaBot.
As of the middle of January 2024, TA578 has predominantly employed Latrodectus in its email-centric threat initiatives, occasionally deploying it through DanaBot infections.
In the realm of cybersecurity, TA578, an established entity since May 2020, has been implicated in various email-driven campaigns disseminating a spectrum of malware including Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.
These attack sequences hinge on exploiting contact forms on web portals to dispatch counterfeit legal threats concerning alleged copyright infringements to targeted entities. Hyperlinks embedded within these messages redirect recipients to deceptive websites, coaxing them into downloading JavaScript files that serve as conduits for the primary payload, facilitated by msiexec.
According to researchers, Latrodectus exhibits a mechanism wherein it transmits encrypted system data to its command-and-control server (C2), prompting the download of a bot. Once the bot establishes contact with the C2, it awaits further directives.
Notably, Latrodectus boasts capabilities to detect sandbox environments by scrutinizing host MAC addresses and verifying a minimum threshold of running processes, particularly on Windows 10 or later systems.
Much akin to the modus operandi of IcedID, Latrodectus transmits registration data via a POST request to the C2 server, wherein fields are concatenated as HTTP parameters and encrypted. Subsequently, it stands ready for additional commands from the server.
These commands equip the malware to enumerate files and processes, execute binary and DLL files, execute arbitrary commands via cmd.exe, update the bot, and even terminate running processes.
Further scrutiny into the attacker infrastructure reveals the inception of initial C2 servers on September 18, 2023. These servers are configured to communicate with an upstream Tier 2 server established around August 2023.
The ties between Latrodectus and IcedID are discernible through the T2 server’s connectivity with backend infrastructure affiliated with IcedID, alongside the utilization of jump boxes previously associated with IcedID operations.
Team Cymru projects an escalation in Latrodectus utilization among financially motivated threat actors, particularly those previously involved in IcedID distribution endeavors.