April 8, 2024 at 07:33AM
Threat hunters discovered a new malware, Latrodectus, distributed through email phishing campaigns since late November 2023. It is associated with IcedID threat actors and has been primarily linked to two initial access brokers. The malware has sophisticated capabilities and is expected to be increasingly used by financially motivated threat actors.
From the meeting notes on April 8, 2024, it was revealed that threat hunters discovered a new malware called Latrodectus, which has been distributed through email phishing campaigns since late November 2023. The malware acts as a downloader with sandbox evasion functionality, designed to retrieve payloads and execute commands, likely created by the threat actors behind the IcedID malware.
Latrodectus is primarily linked to two different initial access brokers (IABs) tracked by Proofpoint under the names TA577 (aka Water Curupira) and TA578, with strong ties to email-based campaigns delivering other malware such as QakBot and PikaBot.
TA578 has been active since at least May 2020 and has been linked to various email-based campaigns delivering multiple types of malware, including Ursnif and Cobalt Strike. The attack chains leverage contact forms on websites to deliver malware payloads, and the malware is able to detect if it’s running in a sandboxed environment.
The first command-and-control (C2) servers associated with Latrodectus were discovered in September 18, 2023. These servers maintain connections with infrastructure associated with IcedID, indicating a strong link between the two malware.
It is assessed that Latrodectus will increasingly be used by financially motivated threat actors, particularly those who previously distributed IcedID.
For more exclusive content, follow us on Twitter and LinkedIn.