A new malware called Latrodectus has emerged in initial access broker email campaigns over the past five months. The downloader, which shares infrastructure overlap with the IcedID malware, has likely been created by IcedID developers, researchers said.
Latrodectus, which was first uncovered by Walmart in October, was observed being used by threat actors in a number of campaigns in November. Researchers this week said that starting in February they observed more than a dozen campaigns delivering the loader. Latrodectus has standard functionalities, like downloading additional payloads and executing arbitrary commands, but its developers have also attempted to incorporate sandbox evasion techniques into the malware as well.
“Proofpoint anticipates Latrodectus will become increasingly used by threat actors across the landscape, especially by those who previously delivered IcedID,” said researchers with Proofpoint and Team Cymru in a joint analysis on Thursday. “Given its use by threat actors assessed to be initial access brokers, defenders are encouraged to understand the tactics, techniques, and procedures (TTPs) exhibited by the malware and associated campaigns.”
Researchers believe that Latrodectus is used by initial access brokers, which gain access to different environments and then sell that access to other cybercriminals. One threat group, TA577, was seen distributing Latrodectus in at least three campaigns in November. TA577 is a known initial access broker that has previously leveraged malware like QakBot and Pikabot. Then, starting in mid-January, researchers observed Latrodectus being used exclusively by another threat actor called TA578 in email campaigns.
TA578, which has previously relied on malware like IcedID and Bumblebee, filled out contact forms on victims’ websites, impersonating various companies to send legal threats regarding alleged copyright infringement to victims. These legal threats included links that started the attack chain.
“If the link was visited, the target was redirected to a landing page personalized to display both the target’s domain and the name of the impersonated company (TA578) reporting the copyright infringement,” said researchers. “The URL then downloaded a JavaScript file from a Google Firebase URL. Proofpoint has observed the download initiated both from clicking on the ‘download’ button, or downloading the payload automatically when the link is first visited.”
Latrodectus supports various commands. The malware is able to execute payloads, gets lists of and shut down running processes, get the names of files on the desktop, pass strings to cmd for execution and more. After download, the malware checks for various features that would be indicative of a sandbox environment. For instance, if the environment is Windows 10 or newer, the malware checks if it has at least 75 running processes. If it doesn’t this would be one potential clue pointing to a sandbox environment.
“Latrodectus’ attempts to incorporate sandbox evasion functionality aligns with the trend overall in the cybercrime threat landscape that malware authors are increasingly trying to bypass defenders and ensure only potential victims receive the payload,” said researchers. “Proofpoint has observed similar attempts from other notable malware used by IABs including Pikabot and WikiLoader.”
The malware shares many infrastructure and technical similarities to IcedID, causing researchers in initial analyses of the malware to suggest that Latrodectus was a new variant of IcedID. However, based on a string identified in the code, researchers have confirmed that Latrodectus is a new malware. IcedID has been around since 2017 and has been used over the years by different threat actors in conjunction with the Emotet, QakBot and Bumblebee malware families. IcedID started as a banking trojan but over time has evolved into a generic information stealer.
“From an infrastructure analysis perspective, Team Cymru determined that the same threat actors responsible for IcedID are also involved in the operation of Latrodectus,” said researchers. “This conclusion is drawn from a few key observations. For one, the C2 hosting choices between the two operations are similar, as mentioned above, although this alone is not a strong association.”
“More conclusively, the Latrodectus T2 maintains connections with backend infrastructure associated with IcedID, and operator activity within Latrodectus infrastructure includes the utilization of specific jumpboxes known to be used in IcedID operations,” they said.
Initial access brokers rely on a number of malware families - sometimes more than one in different campaigns - for establishing access to victim environments. IcedID campaigns, for instance, have been used to lay the groundwork for future malicious activities, including deploying malware or tools like Cobalt Strike that are then used to gain further access into an organization.
"We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID," said Team Cymru researchers.