Article Details

New Latrodectus malware replaces IcedID in network breaches. A relatively new malware called Latrodectus is believed to be an evolution of the IcedID loader, seen in malicious email campaigns since November 2023. The malware was spotted by researchers at Proofpoint and Team Cymru, who worked together to document its capabilities, which are still unstable and experimental. IcedID is a malware family first identified in 2017 that was originally classified as a modular banking trojan designed to steal financial information from infected computers. Over time, it became more sophisticated, adding evasion and command execution capabilities. In recent years, it has acted as a loader that can deliver other types of malware, including ransomware, onto infected systems. Starting in 2022, several IcedID campaigns demonstrated diversified delivery tactics, but the primary distribution method remained malicious emails. In late 2022, new variants of the malware were used in attacks, which experimented with various evasion tricks and new attack sets. In February 2024, one of the leaders behind the IcedID operation pleaded guilty in the United States, facing 40 years of imprisonment. Researchers from Proofpoint and Team Cymru now believe that the developers of IcedID created Latrodectus after noting they shared infrastructure and operational overlaps. Whether Latrodectus will ultimately replace IcedID is too soon to tell. However, the researchers say that initial access brokers (TA577 and TA578) who previously distributed IcedID have now begun to increasingly distribute Latrodectus in phishing campaigns. New Latrodectus malware Latrodectus was spotted in November 2023, used by threat actors tracked as TA577 and TA578, with a notable increase in observed deployments in February and March 2024. The threat actor initiates the attack by filling out online contact forms to send fake copyright infringement notices to the targeted organizations. BleepingComputer previously reported on similar campaigns in the past, and for site owners unfamiliar with this phishing attack, they can be stressful to receive and may scare recipients into clicking on embedded links. The link in the latest campaigns takes the victim to a Google Firebase URL that drops a JavaScript file. When executed, the JS file uses Windows installer (MSIEXEC) to run an MSI file from a WebDAV share, which contains the Latrodecturs DLL payload. Unlike its predecessor, IcedID, Latrodectus performs various sandbox evasion checks before running on the device to avoid detection and analysis by security researchers. The checks include: After the required environment and mutex checks, the malware initializes by sending a victim registration report to its operators. Latrodectus is a downloader capable of retrieving further malicious payloads based on instructions received from a command and control (C2) server. The commands Latrodectus supports are the following: The malware's infrastructure is separated into two distinct tiers that follow a dynamic operation approach regarding campaign involvement and lifespan, with most new C2 coming online towards the end of the week before the attacks. Proofpoint concludes with a warning about Latrodectus, estimating a high probability of the malware being used in the future by multiple threat actors who previously distributed IcedID.