Menace hunters have found a brand new malware known as Latrodectus that has been distributed as a part of e-mail phishing campaigns since no less than late November 2023.
“Latrodectus is an up-and-coming downloader with varied sandbox evasion performance,” researchers from Proofpoint and Staff Cymru mentioned in a joint evaluation revealed final week, including it is designed to retrieve payloads and execute arbitrary instructions.
There’s proof to counsel that the malware is probably going written by the identical risk actors behind the IcedID malware, with the downloader put to make use of by preliminary entry brokers (IABs) to facilitate the deployment of different malware.
Latrodectus has been primarily linked to 2 totally different IABs tracked by Proofpoint underneath the names TA577 (aka Water Curupira) and TA578, the previous of which has additionally been linked to the distribution of QakBot and PikaBot.
As of mid-January 2024, it has been employed nearly completely by TA578 in e-mail risk campaigns, in some instances delivered by way of a DanaBot an infection.
TA578, identified to be energetic since no less than Could 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.
Assault chains leverage contact kinds on web sites to ship authorized threats relating to alleged copyright infringement to focused organizations. The hyperlinks embedded within the messages direct the recipients to a bogus web site to trick them into downloading a JavaScript file that is liable for launching the primary payload utilizing msiexec.
“Latrodectus will put up encrypted system data to the command-and-control server (C2) and request the obtain of the bot,” the researchers mentioned. “As soon as the bot registers with the C2, it sends requests for instructions from the C2.”
It additionally comes with capabilities to detect if it is working in a sandboxed surroundings by checking if the host has a sound MAC handle and there are no less than 75 working processes on methods working Home windows 10 or newer.
Like within the case of IcedID, Latrodectus is designed to ship the registration data in a POST request to the C2 server the place the fields are HTTP parameters stringed collectively and encrypted, after which it awaits additional directions from the server.
The instructions permit the malware to enumerate information and processes, execute binaries and DLL information, run arbitrary directives by way of cmd.exe, replace the bot, and even shut down a working course of.
An extra examination of the attacker infrastructure reveals that the primary C2 servers got here alive on September 18, 2023. These servers, in flip, are configured to speak with an upstream Tier 2 server that was arrange round August 2023.
Latrodectus’ connections to IcedID stems from the truth that the T2 server “maintains connections with backend infrastructure related to IcedID” and use of leap packing containers beforehand related with IcedID operations.
“Latrodectus will change into more and more utilized by financially motivated risk actors throughout the felony panorama, notably those that beforehand distributed IcedID,” Staff Cymru assessed.