Risk hunters have found a brand new malware referred to as Latrodectus that has been distributed as a part of electronic mail phishing campaigns since no less than late November 2023.
“Latrodectus is an up-and-coming downloader with various sandbox evasion functionality,” researchers from Proofpoint and Workforce Cymru stated in a joint evaluation revealed final week, including it is designed to retrieve payloads and execute arbitrary instructions.
There’s proof to recommend that the malware is probably going written by the identical risk actors behind the IcedID malware, with the downloader put to make use of by preliminary entry brokers (IABs) to facilitate the deployment of different malware.
Latrodectus has been primarily linked to 2 totally different IABs tracked by Proofpoint below the names TA577 (aka Water Curupira) and TA578, the previous of which has additionally been linked to the distribution of QakBot and PikaBot.
As of mid-January 2024, it has been employed nearly completely by TA578 in electronic mail risk campaigns, in some instances delivered through a DanaBot an infection.
TA578, identified to be energetic since no less than Might 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.
Assault chains leverage contact kinds on web sites to ship authorized threats concerning alleged copyright infringement to focused organizations. The hyperlinks embedded within the messages direct the recipients to a bogus web site to trick them into downloading a JavaScript file that is liable for launching the principle payload utilizing msiexec.
“Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot,” the researchers stated. “Once the bot registers with the C2, it sends requests for commands from the C2.”
It additionally comes with capabilities to detect if it is working in a sandboxed surroundings by checking if the host has a legitimate MAC deal with and there are no less than 75 working processes on programs working Home windows 10 or newer.
Like within the case of IcedID, Latrodectus is designed to ship the registration info in a POST request to the C2 server the place the fields are HTTP parameters stringed collectively and encrypted, after which it awaits additional directions from the server.
The instructions enable the malware to enumerate information and processes, execute binaries and DLL information, run arbitrary directives through cmd.exe, replace the bot, and even shut down a working course of.
An extra examination of the attacker infrastructure reveals that the primary C2 servers got here alive on September 18, 2023. These servers, in flip, are configured to speak with an upstream Tier 2 server that was arrange round August 2023.
Latrodectus’ connections to IcedID stems from the truth that the T2 server “maintains connections with backend infrastructure associated with IcedID” and use of leap bins beforehand related with IcedID operations.
“Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID,” Workforce Cymru assessed.
