Latrodectus, an evolution of the IcedID loader, was discovered in malicious email campaigns since November 2023.
Key Points:
- Researchers at Proofpoint and Team Cymru documented Latrodectus’ unstable and experimental capabilities.
- IcedID, a modular banking trojan, was initially designed to steal financial information from infected computers. Over time, it became more sophisticated, adding evasion and command execution capabilities.
- Latrodectus has acted as a loader that can deliver other types of malware, including ransomware, onto infected systems.
- Researchers believe that the developers of IcedID created Latrodectus after noting they shared infrastructure and operational overlaps.
- Initial access brokers (TA577 and TA578) who previously distributed IcedID have now begun to distribute Latrodectus in phishing campaigns.
- Latrodectus performs various sandbox evasion checks before running on the device to avoid detection and analysis by security researchers.
- The malware’s infrastructure is separated into two distinct tiers that follow a dynamic operation approach regarding campaign involvement and lifespan.
Background:
Security experts have discovered a new malware called Latrodectus, which has been propagated through email phishing campaigns since late November 2023. Proofpoint and Team Cymru’s joint investigation identifies Latrodectus as a downloader with sandbox evasion capabilities that can download payloads and execute arbitrary commands. Evidence suggests that it may be tied to the same threat actors that utilized IcedID malware to distribute more malware through initial access brokers (IABs).
Latrodectus is primarily related to two IABs, TA577 (Water Curupira) and TA578, and it has been used almost entirely by TA578 in email threat campaigns since mid-January 2024. TA578, which has been active since May 2020, has been linked to a variety of malware deployments, including Ursnif, IcedID, KPOT Stealer, and Buer Loader. It uses contact forms on websites to convey legal threats over claimed copyright infringement to target organizations.
Consequences:
Infections with Latrodectus are dangerous. Their main objective is to establish a backdoor so that thieves can upload more malware. This has been noted to consist of:
Malware that steals information: This type of software is made to steal private information, such as bank account details, login passwords, and corporate data.
Trojan Programs: Trojan programs are malicious software that allows for remote access control, potentially granting hackers total access to your computer.
Businesses may have extensive repercussions from these attacks, including network intrusions, data breaches, and even collaborations with ransomware gangs.
Analysis:
Latrodectus dynamically resolves Windows API functions using hashes, checks for debuggers, obtains operating system information, monitors ongoing processes, and ensures that the computer does not already have a Latrodectus infection. The malware will next attempt to install itself, set an AutoRun key, and create a scheduled task to ensure persistence. Latrodectus will send encrypted system information to the command and control server (C2), requesting the bot’s download. Once the bot has registered with the C2, it sends requests for commands to the C2.
Sandbox evasion:
The trojan starts by resolving bulk APIs for multiple functions. After resolving all functions to global pointers, the malware performs virtualization checks to guarantee that it is operating in an appropriate environment. It checks the host for the following features because the absence of these properties usually indicates that the sample is being executed in a sandbox:
- If Windows 10 or newer, have at least 75 running processes.
- If older than Windows 10, have at least 50 ongoing processes.
- Ensure the 64-bit program is operating on a 64-bit host and that the host has a valid MAC address.
Fig. Sandbox checks
Since the malware’s identification, all samples investigated have consistently registered a mutex called “runnung” [sic]. If the mutex already exists, it indicates that the host already has an infection, and the malware will exit, causing the new infection to cease.
Latrodectus generates a bot ID for each unique host where the malware is installed. The bot ID, like IcedID, is generated from the host’s serial ID.
Network communication:
Latrodectus, like IcedID, delivers registration information via a POST request with fields that are HTTP parameters concatenated together.
If the bot is coming from an IP address that is not blocked and has passed all other filters, a response will be sent, which, when encoded and decrypted with the global key “12345”, yields a list of commands to be parsed by the first command handler.
This response, when base64 decoded and RC4 decrypted with the global key “12345”, will show the following:
Fig. Decrypted Command Response
The response is parsed based on the significant keywords. The URLs keyword replaces the C2s in the sample with the three specified in the command. When “COMMAND” is handled, a second-layer command handler is activated.
List of supported commands:
| Enum name | Enum value | Description |
|---|---|---|
| cmd_get_desktop_items | 2 | Get the filenames of files on the desktop |
| cmd_get_proclist | 3 | Get the list of running processes |
| cmd_get_sysinfo | 4 | Send additional system information |
| cmd_exec_exe | 12 | Execute executable |
| cmd_exec_dll | 13 | Execute DLL with given export |
| cmd_exec_cmd | 14 | Pass string to cmd and execute |
| cmd_update | 15 | Update the bot and trigger a restart |
| cmd_kill | 17 | Shutdown the running process |
| cmd_run_icedid | 18 | Download bp.dat and execute |
| cmd_change_timing | 19 | Set a flag to reset the communications timing |
| cmd_reset_counter | 20 | Reset the counter variable used in communications |
IOCs:
URLs:
hxxps://mazdakrichest[.]com/live/
hxxps://riverhasus[.]com/live/
hxxp://162[.]55[.]217[.]30/gRMS/0[.]6395541546258323[.]dat
hxxp://157[.]90[.]166[.]88/O3ZlYNW/0[.]7797109211833805[.]dat
hxxp://128[.]140[.]36[.]37/cQtDIo/0[.]43650426987684443[.]dat
hxxps://peermangoz[.]me/live/
hxxps://aprettopizza[.]world/live/
hxxps://nimeklroboti[.]info/live/
hxxps://frotneels[.]shop/live/
hxxps://hukosafaris[.]com/elearning/f/q/daas-area/chief/index[.]php
77[.]91[.]73[.]187:443
74[.]119[.]193[.]200:443
hxxps://arsimonopa[.]com/live
hxxps://lemonimonakio[.]com/live
hxxp://superior-coin[.]com/ga/index[.]php
hxxp://superior-coin[.]com/ga/m/6[.]dll
hxxps://fluraresto[.]me/live/
hxxps://mastralakkot[.]live/live/
hxxps://postolwepok[.]tech/live/
hxxps://trasenanoyr[.]best/live/
hxxps://miistoria[.]com/live
hxxps://plwskoret[.]top/live
hxxp://178[.]23[.]190[.]199:80/share/gsm[.]msi
hxxps://sluitionsbad[.]tech/live/
hxxps://grebiunti[.]top/live/
hxxp://5[.]252[.]21[.]207@80/share/escape[.]msi
hxxps://zumkoshapsret[.]com/live/
hxxps://jertacco[.]com/live/
hxxp://5[.]252[.]21[.]207/share/escape[.]msi
hxxp://95[.]164[.]3[.]171/share/cisa[.]msi
hxxps://scifimond[.]com/live/
hxxps://aytobusesre[.]com/live/
hxxps://popfealt[.]one/live/
hxxps://ginzbargatey[.]tech/live/
hxxps://minndarespo[.]icu/live/
hxxps://drifajizo[.]fun/live/
hxxp://sokingscrosshotel[.]com/share/upd[.]msi
hxxps://titnovacrion[.]top/live/
Hashes:
db03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77
e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7
bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241
97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2
f9c69e79e7799df31d6516df70148d7832b121d330beebe52cff6606f0724c62
d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec
d98cd810d568f338f16c4637e8a9cb01ff69ee1967f4cfc004de3f283d61ba81
47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78
5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273
10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a
781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491
aa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119
0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e
0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0
77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017
e7ff6a7ac5bfb0bb29547d413591abc7628c7d5576a3b43f6d8e5d95769e553a
dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e
378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05
edeacd49aff3cfea35d593e455f7caca35ac877ad6dc19054458d41021e0e13a
9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec
9a8847168fa869331faf08db71690f24e567c5cdf1f01cc5e2a8d08c93d282c9
856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea
88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef
97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492
60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc
a189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22
aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c
4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794
090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd3e9429446
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f
3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567
6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea
71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9
Detection:
rule lactrodectus {
strings:
$string_0 = { 488b4c2428 0fbe09 3bc1 7512 }
$string_1 = { c744242002000000 e9???????? 837c243406 7511 837c243801 750a }
$string_2 = { 8b00 488b4c2430 488b09 0fbe0401 48634c2404 488b542428 0fbe0c0a }
$string_3 = { eb43 41b901000000 448b442424 488b542428 488b4c2448 e8???????? }
$string_4 = { eb1f c744242000000000 4533c9 4533c0 }
$string_5 = { 488b4c2448 ff15???????? 89442444 837c244400 7502 eb11 }
$string_6 = { 488d8c0c60020000 ba02000000 486bd200 4803ca 448bc0 488b542420 e8???????? }
$string_7 = { 66c1ca08 0fb7d2 4c8b8424a0000000 450fb74006 6641c1c808 450fb7c0 4c8b8c24a0000000 }
$string_8 = { e8???????? b910000000 e8???????? 4889442448 488b442448 488b4c2450 488908 }
$string_9 = { 4889542410 48894c2408 4883ec78 c744243000000000 c744243400000000 488b942488000000 488d4c2448 }
condition:
7 of them and filesize < 148480
}
Recommendations:
While Latrodectus is a serious concern, organizations can make efforts to reduce the risk:
- Patch Management: Updating operating systems and applications with the most recent security patches is critical for addressing known vulnerabilities that attackers may exploit.
- Endpoint Security Solutions: Implement strong endpoint security solutions capable of identifying and stopping harmful downloads and executions, such as Latrodectus.
- Employee Training: Educate staff on cybersecurity best practices, such as phishing awareness and how to recognize suspicious emails and attachments.
- Network segmentation: By restricting lateral movement within your network, you can limit the potential damage caused by an infected system.
- Email Scrutiny: Exercise extreme caution when responding to unsolicited emails, particularly if they appear to be a chain. Verify email addresses again and carefully examine any links or attachments before responding.
- Software Verification: If you’re unsure of the origins of a document, get in touch with the supposed sender through a different channel—like phone—to confirm its authenticity.