Analysts initially thought that the downloader was a variant of the well-known IcedID malware, but it turned out that Latrodectus is something completely new.
The malware is used by Initial Access Brokers (IABs) in email threat campaigns and the researchers behind the discovery at Proofpoint and Team Cymru S2 Threat Research Team expect Latrodectus to continue to gain momentum among threat actors. This is largely due to its ability to evade sandbox detection, the researchers said.
“After initialization, the malware will check its environment to confirm that it is not running in a sandbox by confirming the amount of processes running on the device, then it will check to make sure it is running on a 64-bit host, and finally the malware will appear to see if the host has a valid MAC address,” according to a statement from Adam Neel, threat detection engineer at Critical Start. “These sandbox evasion techniques can slow researchers and defenders from analyzing Latrodectus samples.”
First discovered in late 2023, there was a sharp increase in threat activity using the new charger between February and March, the report warns.
Even if it’s not a variant of IcedIDthe researchers found that Latrodectus, named after a string of code found during the analysis, has similar characteristics, leading the team to conclude that both were created by the same developers.
The first group to use Latrodectus in November 2023 was TA577, and has relied on it almost exclusively since mid-January 2024, the report said. Before capturing Latrodectus, the opposing group was using IcedID, he added.
In February, researchers discovered that another group, TA578, was distributing Latrodectus in a campaign that sent threats of copyright infringement lawsuits as phishing baits.
Is Latrodectus Downloader the new QBot?
The new Latrodectus downloader is positioned to fill the void left by the QBot malware removal (also known as Qakbot) in the summer of 2023, according to a statement from Ken Dunham, director of cyber threats at Qualys Threat Research Unit.
“TA577 and other actors are affiliated with Qbot and now a new malware campaign, Latrodectus,” Dunham explained. “It seems likely that the actors behind QBot felt the heat of last year’s removals, migrating to this new code base and infrastructure in the fall of 2023.”
Awareness that Latrodectus is actively used in email campaigns, along with vigilance, will help companies defend themselves against the updated downloader, experts advise. THE new Latrodectus report provides tactics, techniques and procedures to help.
“It is possible that this is not the last form of Latrodectus and that it may continue to grow and differentiate itself more from IcedID in the future,” Neel added. “Latrodectus is currently being distributed via email campaigns, so the need for phishing awareness continues to be incredibly important.”