Threat hunters have discovered a new malware called Latrodectus that has been distributed as part of email phishing campaigns since at least late November 2023.
"Latrodectus is an up-and-coming downloader with various sandbox evasion functionality," researchers from Proofpoint and Team Cymru said in a joint analysis published last week, adding it's designed to retrieve payloads and execute arbitrary commands.
There is evidence to suggest that the downloader is likely written by the same threat actors behind the IcedID malware, with the downloader put to use by initial access brokers (IABs) to facilitate the deployment of other malware.
Latrodectus has been primarily linked to two different IABs tracked by Proofpoint under the names TA577 (aka Water Curupira) and TA578, the former of which has also been linked to the distribution of QakBot and PikaBot.
As of mid-January 2024, it's been employed almost exclusively by TA578 in email threat campaigns, in some cases delivered via a DanaBot infection.
TA578, known to be active since at least May 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.
Attack chains leverage contact forms on websites to send legal threats regarding alleged copyright infringement to targeted organizations. The links embedded in the messages direct the recipients to a bogus website to trick them into downloading a JavaScript file that's responsible for launching the main payload using msiexec.
"Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot," the researchers said. "Once the bot registers with the C2, it sends requests for commands from the C2."
It also comes with capabilities to detect if it's running in a sandboxed environment by checking if the host has a valid MAC address and there are at least 75 running processes on systems running Windows 10 or newer.
Like in the case of IcedID, Latrodectus is designed to send the registration information in a POST request to the C2 server where the fields are HTTP parameters stringed together and encrypted, after which it awaits further instructions from the server.
The commands allow the malware to enumerate files and processes, execute binaries and DLL files, run arbitrary directives via cmd.exe, update the bot, and even shut down a running process.
A further examination of the attacker infrastructure reveals that the first C2 servers came alive on September 18, 2023. These servers, in turn, are configured to communicate with an upstream Tier 2 server that was set up around August 2023.
Latrodectus' connections to IcedID stems from the fact that the T2 server "maintains connections with backend infrastructure associated with IcedID" and use of jump boxes previously associated with IcedID operations.
The threat actors' shift to DarkGate, Latrodectus, and PikaBot over the past several months comes in the wake of a law enforcement operation that neutralized QakBot in late August 2023, although the malware has been deployed in low-volume campaigns as of December and there are indications that a new variant of the botnet is undergoing active development.
"Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID," Team Cymru assessed.
