Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management
New Malware With Ties to IcedID Loader Evades Detection, Gains Persistence
Security researchers are warning about a relatively new malware called Latrodectus, believed to be an evolutionary successor to the IcedID loader. It has been detected in malicious email campaigns since November 2023, and recent enhancements make it harder to detect and mitigate.
Proofpoint’s Threat Research team, in partnership with Team Cymru S2 Threat Research, spotted nearly a dozen campaigns delivering Latrodectus beginning in February 2024. The malware, used by initial access brokers, downloads payloads and executes arbitrary commands.
While initial analysis suggested Latrodectus is a new variant of IcedID, subsequent research found that it is a new malware most likely named Latrodectus because of a string identified in the code. Latrodectus employs infrastructure used in historic IcedID operations, indicating potential ties to the same threat actors. IcedID, first discovered in 2017, has been described as a banking Trojan and remote access Trojan.
Researchers discovered insights into the activities of threat actors TA577 and TA578 – the primary distributors of Latrodectus that illustrate the evolving tactics threat actors have used over time.
TA577, previously known for its distribution of Qbot, used Latrodectus in three campaigns in November 2023 before switching back to Pikabot. In contrast, TA578 has been predominantly distributing Latrodectus since mid-January 2024, using contact forms and impersonation techniques to deliver the malware to targets.
Latrodectus functions as a downloader, and its primary objective is to download payloads and execute arbitrary commands. Its sandbox evasion techniques are noteworthy, and it shares similarities with the IcedID malware. This assessment suggests Latrodectus was likely developed by the same group as IcedID.
Malware Functions
Latrodectus employs sophisticated techniques to evade detection, including dynamic resolution of Windows API functions. It checks for the presence of debuggers, gathers system information and evades sandboxes. Its communication protocol, similar to IcedID, encrypts registration information before transmitting it to command-and-control servers, ensuring stealthy operation.
Its modular structure allows it to adapt to different environments and perform a wide range of malicious activities.
Team Cymru’s analysis of Latrodectus infrastructure identified a significant overlap with IcedID operations, suggesting shared threat actor involvement. Patterns in C2 lifespan and setup rates provide insights into the operational dynamics of Latrodectus, highlighting an ongoing cycle of activity and infrastructure evolution.
It employs a simplified string decryption algorithm, replacing the previous pseudo-random number generator – PRNG – with a rolling XOR key for efficient decryption.
The malware establishes persistence on infected systems by installing itself, setting AutoRun keys and creating scheduled tasks. Communication with its command-and-control server is encrypted using the RC4 algorithm with a consistent key – 12345. Each infected host generates a unique bot ID based on its serial ID, which is encrypted and sent to the C2 server for identification.
The distributed C2 infrastructure comprises Tier 1 and Tier 2 servers and exhibits patterns that indicate operator activity and connections to historic IcedID operations. Campaign IDs are hashed using the FNV-1a algorithm, correlating with specific threat actor campaigns for attribution.
These tactics, along with its persistence mechanisms and encrypted communication, make it challenging for traditional security measures to detect and mitigate effectively, the researchers said.