Analyzing Latrodectus: The New Face of Malware Loaders
This report is the latest in a series that will delve into the deep research the Trustwave SpiderLabs Threat Intelligence team conducts daily on the major threat actor groups currently operating globally.
The information gathered is part of a data repository that helps Trustwave SpiderLabs identify possible intrusions as it conducts threat hunts, vulnerability scans, and other offensive and defensive security tasks.
Latrodectus is a malicious newcomer that has quickly risen to prominence in the cybersecurity landscape, so organizations need to know how the malware operates and the danger it poses.
Latrodectus, also known as BlackWidow, IceNova, Lotus, or Unidentified 111, is a sophisticated malware loader that has emerged as a significant threat in the cybersecurity landscape. While the exact origin of the threat actor behind Latrodectus remains unknown, one group associated with its use, TA577, is believed to originate from Russia.
Since its discovery in late 2023, Latrodectus has been linked to several cybercrime groups, notably TA577 and TA578. TA577 has a history of using various malware loaders like Qakbot, IcedID, and Pikabot, while researchers have observed TA578 using Latrodectus in campaigns targeting organizations with legal threats about alleged copyright infringement.
The primary motivation behind Latrodectus's development and deployment is financial gain. The creators specifically designed the malware to infect Windows operating systems, targeting organizations primarily through malspam campaigns that hijack email threads or impersonate legitimate entities.
As a malware loader, Latrodectus is capable of downloading and executing additional malicious payloads. It employs sophisticated techniques such as obfuscation, encryption, and anti-debugging mechanisms to evade detection and maintain persistence on infected systems. Latrodectus can also gather system information, issue remote commands, and exfiltrate sensitive data.
Latrodectus represents a significant threat to organizations, capable of causing significant financial and operational damage. Its advanced capabilities and association with experienced cybercrime groups make it a dangerous adversary.
Latrodectus: A Rising Star in the Malware World
Latrodectus, initially mistaken for a variant of IcedID, emerged in October 2023 as a new malware loader. Despite sharing similarities like payload downloading and C2 infrastructure, Latrodectus is a distinct threat. It offers a comprehensive toolkit for cybercriminals: system information gathering, executable launching, and even sandbox detection. Built for stealth, it uses encryption and obfuscation to avoid getting caught.
Latrodectus received a boost in May 2024 with Operation Endgame. This FBI takedown of major malware families like IcedID created a gap in the cybercriminal landscape. While initially impacted, Latrodectus quickly rebounded. Its advanced capabilities filled the void left by its disabled counterparts, establishing itself as a formidable threat (version 1.3, now using Brute Ratel C4).
Researchers believe two operators behind Latrodectus are the initial access brokers (IABs) - TA577 and TA578. TA577 used Latrodectus in multiple campaigns starting in November 2023, while TA578 adopted it exclusively by December.
Latrodectus primarily targets private sector organizations in North America and Europe, with the United States being the primary focus. It spreads through malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Cloudflare. This broad approach maximizes the potential for stealing valuable data from targeted companies.
The Latrodectus Backstory
Walmart researchers first identified Latrodectus during an investigation into IcedID. Despite sharing similarities, Latrodectus is a distinct malware. It can gather system information, establish a backdoor, and execute remote commands.
TA577 was the first known threat actor to use Latrodectus in November 2023 when it was employed in three campaigns. Two attack chains were observed: one involving a JavaScript file and BAT files, and the other involving a zipped JavaScript or ISO file.
In January 2024, TA578 began using Latrodectus. They deployed it through DanaBot and by impersonating companies with fake legal threats. The URL in the email led to a JavaScript file that downloaded an MSI file bundled with the Latrodectus DLL.
After Operation Endgame, Latrodectus went silent for a period but resurfaced in June 2024 when it used SEO poisoning on a fake US Internal Revenue Service (IRS) website. In this instance, the MSI file contained a Brute Ratel C4 (BRC4) remote access agent, which led to the download of Latrodectus. Latrodectus is known to deploy loaders and infostealers like Lumma Stealer, IcedID, and BackConnect C2.
Discover Trustwave SpiderLabs
Breaking Down Latrodectus
Resource Development: Early iterations of Latrodectus relied on malspam. However, the latest versions introduce SEO poisoning, wherein the attacker leverages fake IRS websites to download W2 tax forms. However, this will eventually lead unsuspecting users to download malicious files, leading to a Latrodectus infection.
Initial Access: Threat actors primarily employ phishing emails to distribute Latrodectus. These emails may be hijacked email threads and use subject lines that refer to suing for copyright infringement and impersonating companies. The emails contain malicious URLs, which, when clicked, will download a malicious file.
Execution: Latrodectus' attack chain employs various file types that include malicious URLs. The attack usually starts with a user clicking a malicious link in the malspam or a link from the search engine browser. This results in a script file being downloaded. JavaScript and batch files are often used, and Windows Management Instrumentation (WMI) was also employed in earlier campaigns.
Persistence: Latrodectus uses diverse methods to maintain its foothold in the compromised host. These include creating an autorun key for itself and creating a scheduled task to run upon startup. It also drops a copy of itself in one of the following locations: Appdata, Desktop, Startup, and Local\Appdata.
Privilege Escalation: The malware has leveraged WMI to run administrative tasks without suspicion, which is then used to download the next stage in the attack chain. The creation of the scheduled task was COM-based.
Defense Evasion: Latrodectus is particularly skilled at evading detection. Some of the methods used are:
- Latrodectus masquerades as a legitimate AV component in some of its DLL files.
- Its samples are packed, meaning that it cannot easily be analyzed by malware analysts.
- Its own algorithm obfuscates the strings.
- Its imports are obfuscated and will only be resolved upon runtime. Resolving these imports is through the PEB structure plus a CRC32 checksum.
- Anti-analysis checks:
- Checking of BeingDebugged flag
- Checking the number of processes and OS version (sandbox evasion)
- Checking of build numbers, major version, and minor version
- Checking if running under WOW64
- Checking if the MAC address is legitimate
- Checking of mutex to avoid reinfection
Staying Vigilant
Trustwave SpiderLabs noted that Latrodectus poses a significant threat to organizations. However, by being aware of its tactics and implementing robust security measures, an organization can significantly reduce the risk of falling victim to this malware. Here are some steps you can take:
- Educate employees: Train your staff to identify suspicious emails and avoid clicking on unknown links or attachments.
- Implement strong email filtering: Utilize layered email filtering solutions to block malicious emails before they reach your inbox.
- Maintain updated security software: Ensure your systems are protected with the latest security patches and antivirus software.
- Regular backups: Maintain regular backups of your data to minimize damage in case of a cyberattack.
Previous entries in this series:
Placing Threat Groups Under a Microscope: Lapsus$
ALPHV BlackCat Ransomware: A Technical Deep Dive and Mitigation Strategies
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.