Phishing Danger: Latrodectus Malware Deployed

Specialists from Proofpoint and Team Cymru have uncovered a novel malware dubbed Latrodectus, considered an evolution of the well-known IcedID loader, which has been actively deployed in phishing campaigns since November 2023.

Initially identified in 2017, IcedID was categorized as a modular banking Trojan designed to pilfer financial information from infected computers. Over time, it evolved, gaining capabilities for evasion and command execution.

Recently, IcedID has transformed into a loader for delivering various types of malware, including ransomware. In February 2024, a leader of the IcedID campaign pleaded guilty in a federal court in the United States, facing up to 20 years in prison for each charge.
According to research conducted by Proofpoint and Team Cymru, there are specific connections between IcedID and Latrodectus, including similarities in infrastructure and operations, suggesting that the latter was developed by the creators of IcedID.

Latrodectus is a loader capable of retrieving additional malicious payloads from a C2 server. The malware also conducts various checks to avoid detection, including a requirement for the number of processes running depending on the version of Windows and verification of a valid MAC address.

Among others, Latrodectus supports the following commands:

– Retrieve filenames on the desktop;
– Obtain a list of running processes;
– Send additional system information;
– Launch an executable file;
– Execute a DLL;
– Terminate a running process.

The attacker initiates the attack by filling out feedback forms and informing the target organization about a copyright infringement. The message also includes a link that leads the victim to a Google Firebase page, from where a malicious JavaScript file is downloaded. Subsequently, the file uses a Windows installer to execute an MSI file containing the malicious Latrodectus library.

The malware’s infrastructure is divided into two levels, providing flexibility in managing campaigns and their duration. New C2 servers are particularly activated towards the end of the week preceding attacks.

Based on their research, Proofpoint specialists express concern about the future use of Latrodectus in cybercriminal campaigns, given its advanced evasion capabilities and malicious payload. It is believed that the likelihood of Latrodectus spreading among cybercriminals who previously utilized IcedID remains high.