Illustration: Suttipun | Shutterstock
A novel malware, Latrodectus, similar to IcedID and having sandbox evasion functionality, has been used by multiple threat actors since November 2023. Walmart first reported the malware in October 2023.
The use of this malicious downloader gradually decreased from November 2023 to January 2024, but it picked up pace in February and March. Earlier, researchers attributed the malicious downloader to the TA577 threat actor. However, later, they discovered that at least one more group, TA578, has also been using Latrodectus for campaigns.
Researchers from Proofpoint initially deemed the downloader to be another variant of IcedID. Subsequent research revealed it to be a completely new malware, likely developed by the IcedID creators.
One malicious actor, TA577, used Latrodectus in at least three campaigns observed by researchers. During the last campaign, the threat actors differed slightly in their approach. Instead of using thread hijacking, they used zipped JavaScript or ISO files to lure victims into downloading the malware.
In another campaign by TA578, researchers observed Latodectus via DanaBot infection. Furthermore, TA578 used the threat of copyright infringement and sent out contact forms. These contained unique URLs, clicking on which opened a landing page replicated with fake information and imagery. The URL also downloaded a JavaScript file infected with Latrodectus.
Latrodectus is a sophisticated downloader that acquires payloads and executes commands on compromised systems. Its dynamic resolution of Windows API functions, sandbox evasion techniques, and encrypted communication with C2 servers make it a formidable adversary capable of bypassing traditional security measures.
The malware first resolves the Windows API functions via hash, scans the system for any debuggers, gathers system information, and checks for an ongoing Latrodectus infection.
To resolve the Windows API, the malware checks the following:
- Windows 10 server running over 75 processes.
- Older versions of Windows should run over 50 processes.
- Ensuring that the 64-bit application is running on a similar host.
- Finally, ensure that the host has a valid MAC address.
To check for an ongoing Latrodectus infection, the malware runs a mutex called ‘runnung’. If the mutex already exists in the system, the malware gets the indication that the device is already infected.
After the second step is over, the malware initialises the variables, including the username, a handle to perform operations on its file, another handle to check the current processes and the campaign ID, which is a string of letters hashed via FNV-1a for communication.
Latrodectus, similar to the malware IcedID, creates unique identifiers known as bot IDs for each device where the malware is installed. To generate these bot IDs, Latrodectus utilises the serial ID of the host machine. The process involves passing the serial ID to a specific function responsible for bot ID creation.
Within this function, the serial ID is multiplied by a hardcoded constant value into the malware. The result of this multiplication becomes part of the bot ID, and the serial ID is updated to prepare for generating the next DWORD (Double Word) of the bot ID for the next host machine where the malware is installed.
This method ensures that each infected device is assigned a distinct bot ID, facilitating tracking and management for the threat actors behind Latrodectus.
Further investigations into Latrodectus’s infrastructure reveal a complex Tier 1 and Tier 2 C2 servers network. Overlaps with IcedID infrastructure suggest potential connections or shared elements between these malware ecosystems.
“Proofpoint anticipates Latrodectus will become increasingly used by threat actors across the landscape, especially by those who previously delivered IcedID. Given its use by threat actors assessed as initial access brokers, defenders are encouraged to understand the tactics, techniques, and procedures (TTPs) exhibited by the malware and associated campaigns,” the researchers warned.
In the News: Disney Plus looks to put an end to password sharing in June