New Latrodectus loader steps in for Qbot

New (down)loader malware called Latrodectus is being leveraged by initial access brokers and it looks like it might have been written by the same developers who created the IcedID loader.

Malware delivery campaigns

“[Latrodectus] was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the malware’s disruption in 2023. TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot,” Proofpoint and Team Cymru researchers noted.

TA577 has also been recently spotted using booby-trapped email attachments to steal employees’ NTLM hashes, likely in an attempt to perform reconnaissance before dropping malware or ransomware on enterprise systems.

Since the beginning of this year, Latrodectus has been used almost exclusively by another IAB identified as TA578.

“This actor typically uses contact forms to initiate a conversation with a target. On 20 February 2024, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about alleged copyright infringement. The actor filled out a contact form on multiple targets’ websites, with text containing unique URLs and included in the URI both the domain of the site that initiated the contact form (the target), and the name of the impersonated company (to further the legitimacy of the copyright complaint),” Proofpoint shared.

Latrodectus initial access

Malicious contact form submission (Source: Proofpoint)

“If the link was visited, the target was redirected to a landing page personalized to display both the target’s domain and the name of the impersonated company (TA578) reporting the copyright infringement. The URL then downloaded a JavaScript file from a Google Firebase URL. If this JavaScript was executed, it called MSIEXEC to run an MSI from a WebDAV share. The MSI executed the bundled DLL with the export ‘fin’ to run Latrodectus.”

The malware is capable of checking for debuggers before loading, gathering information about the OS and running processes, execute files, creating a scheduled task to persist on the targeted machine, and more. It also uses various sandbox evasion techniques to avoid getting spotted and analyzed by researchers.

Links to IcedID

“Researching the techniques of string hashing of campaign IDs observed in Latrodectus helped researchers identify new patterns in previous IcedID campaigns,” Proofpoint says.

Several things point to IcedID creators being involved in the operation of Latrodectus, including the use of backend infrastructure associated with IcedID and the use of the same specific jumpboxes.

As they researched the string hashing techniques used to obfuscate campaign IDs, the researchers also used them to brute-force previously observed IcedID campaign IDs.

Don't miss