Emerging Threat: Latrodectus Malware Targets Organizations in Sophisticated Phishing Campaigns
Charles M. Walls | April 8, 2024 | Views: 434
Cybersecurity experts are raising alarms about a newly discovered malware, Latrodectus, which has been making the rounds via email phishing schemes since at least late November 2023. This emerging threat is described as a sophisticated downloader designed to bypass detection mechanisms while deploying various malicious payloads.
A collaborative analysis by Proofpoint and Team Cymru reveals that Latrodectus is not only adept at evading sandbox environments but also capable of executing arbitrary commands once activated. The malware is suspected to be the brainchild of the same perpetrators responsible for the IcedID malware, with its primary function being to aid initial access brokers (IABs) in spreading further infections.
Significantly, Latrodectus has been associated with two IABs known as TA577 (also called Water Curupira) and TA578, with the latter mainly utilizing this malware in their phishing operations since mid-January 2024. These operations often include delivering other notorious threats like Ursnif, IcedID, and Cobalt Strike, among others.
The typical modus operandi involves using website contact forms to send fake legal threats about copyright infringement to organizations. Victims are lured to click on links that lead to deceptive sites where a JavaScript file awaits to initiate the malware via an msiexec command.
Once installed, Latrodectus communicates with its command-and-control server (C2) by sending encrypted system information and awaiting further malicious instructions. This malware checks for signs of a sandbox environment by verifying the host's MAC address and the presence of at least 75 active processes on Windows 10 or newer systems.
Latrodectus is versatile in its operations, able to manage files and processes, execute additional malware payloads, and even terminate processes as directed by its C2 server. Researchers have traced the first known C2 servers linked to Latrodectus back to September 18, 2023, which connect to a higher-tier server established earlier in August 2023.
The connection between Latrodectus and IcedID is further solidified by their shared infrastructure and methodologies, indicating that Latrodectus is likely to become a staple tool among cybercriminals who have previously engaged with IcedID. This development underscores the evolving nature of cyber threats and the continual need for robust cybersecurity measures.