In November 2023, security researchers uncovered the Latrodectus malware, which swiftly evolved into a significant threat by February 2024.

This malware, distributed by initial access brokers (IABs), is a sophisticated loader primarily utilized for deploying additional payloads, including QakBot, DarkGate, and PikaBot.

The following Threat Research meticulously dissects its components, operational techniques, and the broader implications.

Infection Chain and Deployment

Latrodectus typically initiates infection through email phishing campaigns, a method that surged in March 2024. The campaigns involve oversized JavaScript files leveraging Windows Management Instrumentation (WMI) to invoke msiexec.exe and install a remotely-hosted MSI file from a WEBDAV share.

This technique underscores a significant evolution from traditional phishing methods, indicating a strategic pivot towards leveraging legitimate administrative tools to obscure malicious activities.

Malware Capabilities and Techniques

Latrodectus exhibits several capabilities characteristic of advanced malware loaders:

1. Enumeration and Execution: It prioritizes gathering comprehensive system information and executing various payloads. The focus on enumeration suggests a strategic approach to identifying high-value targets within infected networks.

2. Obfuscation and Anti-Analysis: The malware employs advanced obfuscation techniques and anti-analysis checks to evade detection and analysis in sandboxed environments. This includes source code obfuscation and dynamic API resolution by hash, complicating static analysis efforts.

3. Persistence Mechanisms: Persistence is achieved through scheduled tasks and registry modifications, ensuring the malware's resilience against system reboots and user intervention. This persistence is crucial for maintaining long-term access to compromised systems.

4. Command and Control (C2) Communication: Latrodectus establishes secure communication with C2 servers over HTTPS. It dynamically updates, restarts, and terminates itself based on commands received from the C2, allowing flexible control over infected hosts.

Campaign Analysis: TA577 and TA578

TA577 Campaigns:

• November 2023 Campaigns: TA577 utilized Latrodectus in three notable campaigns. A significant deviation on 24 November involved using varied email subjects and URLs, leading to JavaScript files executing via curl to run a DLL. The transition to new methods indicates adaptive strategies to evade existing detection mechanisms.

• 28 November 2023: This campaign saw the use of thread-hijacked messages with URLs leading to zipped JavaScript or ISO files. This dual method increases the chances of successful execution, reflecting an intricate understanding of target behaviors and email security protocols.

TA578 Campaigns:

• December 2023 to February 2024: TA578's campaigns often began with contact form submissions, escalating to impersonating companies to send legal threats about copyright infringement. This tactic demonstrates a sophisticated social engineering approach designed to exploit trust and urgency.

• Use of DanaBot: Initially distributing Latrodectus via DanaBot infection, TA578's versatility in utilizing multiple malware strains highlights their strategic flexibility and resourcefulness.

Malware Initialization and Operation

Upon execution, Latrodectus resolves Windows API functions dynamically, performs extensive checks to ensure it is not running in a sandbox, and validates the environment's suitability.

It registers a mutex ("runnung") to prevent multiple instances on the same host, a simple yet effective method to avoid conflicts and redundant infections.

Communication Protocol & Commands

Latrodectus communicates with its C2 server using RC4 encryption and base64 encoding. The malware's ability to handle commands such as executing shellcode, DLLs, and executables, as well as collecting system information, illustrates its utility in a wide range of post-exploitation scenarios.

Notably, the malware's communication includes detailed system parameters, enhancing the C2's capability to tailor responses and commands based on specific host characteristics.

Infrastructure and Lifespan

Team Cymru's analysis revealed a sophisticated infrastructure supporting Latrodectus. The malware's C2 servers exhibit a lifecycle marked by frequent turnover and dynamic setup rates.

This infrastructure's evolution from late 2023 through early 2024 indicates a strategic testing and refinement phase, culminating in more frequent but shorter-lived C2s. The use of Cloudflare to conceal C2 domains reflects an advanced understanding of modern cybersecurity defenses and the need for stealth and resilience.

Connection to IcedID

Latrodectus shares several operational and infrastructural characteristics with IcedID, a notorious banking trojan. The reuse of specific infrastructure components and operational techniques suggests that the developers of IcedID may be behind Latrodectus.

Latrodectus infrastructure connected to IcedID infrastructure.

This connection underscores the iterative nature of malware development, where new threats evolve from existing ones, incorporating lessons learned and adapting to new defensive measures.

Technical Analysis of Latrodectus Malware

The Latrodectus malware represents a sophisticated evolution in the landscape of cyber threats, marked by its strategic deployment as a successor to the well-known IcedID malware. In this rigorous and meticulous analysis, we will dissect the technical facets of Latrodectus, emphasizing its infection chain, capabilities, persistence mechanisms, anti-analysis techniques, and its command-and-control (C2) infrastructure.

1. Infection Chain

The infection chain of Latrodectus is characterized by its use of oversized JavaScript files delivered through phishing emails. These emails often contain URLs leading to the download of JavaScript files. Upon execution, these scripts leverage Windows Management Instrumentation (WMI) to invoke msiexec.exe, facilitating the installation of a remotely-hosted MSI file from a WEBDAV share. This process mirrors techniques employed by sophisticated malware loaders, highlighting Latrodectus’s intent to blend into the background of typical network activity.

2. Capabilities and Payload Delivery

Latrodectus is designed as a downloader with the primary objective of fetching and executing additional malicious payloads. This malware exhibits capabilities commonly expected from loaders, such as:

• Payload Deployment: Able to deploy other malware like QakBot, DarkGate, and PikaBot.
• System Enumeration: Conducts extensive enumeration of the infected system to gather information.
• Command Execution: Executes arbitrary commands, DLLs, and executables as instructed by the C2 server.
• Self-Deletion: Incorporates a self-delete mechanism to remove traces post-execution.

3. Persistence Mechanisms

To maintain persistence on compromised systems, Latrodectus employs several techniques:

• Scheduled Tasks: Sets up scheduled tasks to ensure it runs at system startup.
• AutoRun Key: Modifies registry keys to establish automatic execution.
• File Relocation: Ensures it runs from a designated location in %AppData%, restarting itself from this location if necessary.

4. Anti-Analysis and Obfuscation

Latrodectus demonstrates advanced anti-analysis and obfuscation strategies to evade detection:

• Dynamic API Resolution: Resolves Windows API functions by hash, complicating static analysis.
• Debugger and Sandbox Detection: Checks for the presence of debuggers and the characteristics of sandbox environments (e.g., minimum number of running processes, valid MAC addresses).
• String Obfuscation: Utilizes a simplified string decryption routine, evolving from a pseudo-random number generator (PRNG) to a rolling XOR key method.

5. Command-and-Control (C2) Communication

Latrodectus maintains robust C2 communication protocols:

• HTTPS Communication: Establishes contact with C2 servers over HTTPS, ensuring encrypted data transmission.

• Command Handling: Receives commands for system information collection, self-updating, restarting, termination, and payload execution.

• Configuration Parsing: Reads a hardcoded filename (update_data.dat) to decrypt and set C2 addresses, ensuring updated C2 communication points.

6. Infrastructure and Threat Actor Association

The infrastructure supporting Latrodectus exhibits a high level of sophistication:

• Tiered C2 Architecture: The malware uses a multi-tier C2 architecture with Tier 1 (T1) and Tier 2 (T2) servers to enhance resilience and operational security.

• Common Hosting Providers: C2 servers are hosted on platforms known for cybercriminal activity, such as BLNWX, BV-EU-AS, and LITESERVER.

• Operator Patterns: Analysis shows consistent patterns in the setup and operation of C2 servers, with notable activity spikes aligning with operational phases and testing periods.

7. Evolution from IcedID

Latrodectus retains several characteristics reminiscent of IcedID, suggesting a shared lineage or development team:

• Bot ID Generation: Utilizes host serial IDs to generate unique bot IDs, similar to IcedID.

• Campaign ID Hashing: Implements campaign ID hashing using the FNV-1a algorithm, aiding in tracking and attributing threat actor campaigns.

• Command Set Similarity: Shares a command set with IcedID, including commands for executing binaries, updating the bot, and collecting system information.

8. Threat Actor Activity

The malware has been primarily distributed by Initial Access Brokers (IABs) such as TA577 and TA578:

• TA577: Initially used by Latrodectus in November 2023, switching tactics and payloads in subsequent campaigns.

• TA578: Adopted Latrodectus almost exclusively from January 2024, employing varied social engineering tactics, including contact form submissions and legal threat impersonations.