Security researchers have identified a new loader named “Latrodectus,” suspected to be a successor to the IcedID malware [7].

Description

Since November 2023 [1] [2] [4] [5] [6] [7] [8] [9], Latrodectus has been detected in malicious email campaigns [5] [6] [7], with nearly a dozen campaigns associated with it since February 2024. This malware, primarily utilized by initial access brokers (IABs) [3] [8], functions as a downloader to retrieve payloads and execute commands [3]. While initially thought to be a variant of IcedID [3] [7], further analysis confirmed Latrodectus as a distinct malware likely developed by the same creators [3]. It has been linked to threat actors TA577 and TA578 in various campaigns, with distribution methods including contact forms and legal threats [3]. Latrodectus exhibits dynamic resolution of Windows API functions [3], evasion techniques [1] [3] [7], and communication with command-and-control servers [3] [8]. Team Cymru identified tiered C2 servers and patterns in their setup [3], suggesting a connection between Latrodectus and IcedID [3]. Ongoing development in Latrodectus samples has been noted [3], with researchers anticipating increased use by threat actors, especially those previously delivering IcedID [3].

Conclusion

Cybersecurity experts warn of Latrodectus’ potential proliferation and evolving threat to organizations worldwide [4], emphasizing the need for vigilance and proactive security measures [4]. It is predicted that Latrodectus will be increasingly used by financially motivated threat actors [2], particularly those previously involved in distributing IcedID [2]. The proliferation of Latrodectus poses significant risks to organizations [1], particularly in industries like finance [1], healthcare [1], and government [1], due to its downloader capabilities and sophisticated distribution tactics [1]. Organizations are advised to enhance employee training on phishing tactics and monitor systems for indicators of compromise associated with Latrodectus [1]. Concerns have been raised about the future use of Latrodectus in cybercriminal campaigns due to its advanced evasion capabilities and malicious payload [9].

References

[1] https://sra.io/tigr-threat-watch/
[2] https://vulners.com/thn/THN:DC8CA8E91812CBE3517DFC5420DB0D86
[3] https://www.infosecurity-magazine.com/news/malware-latrodectus-linked-icedid/
[4] https://cybermaterial.com/latrodectus-malware-replaces-icedid/
[5] https://thecyberwire.com/newsletters/daily-briefing/13/67
[6] https://thecyberwire.com/podcasts/daily-podcast/2040/transcript
[7] https://www.bankinfosecurity.com/sophisticated-latrodectus-malware-linked-to-2017-strain-a-24794
[8] https://www.cyclonis.com/latrodectus-malware-distributed-in-phishing-campaign/
[9] https://meterpreter.org/phishing-danger-latrodectus-malware-deployed/