The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Latrodectus

Apr 12, 2024 2:32:43 PM / by The Hivemind

LATRODECTUSRelated Families: IcedID, DanaBot

Executive Summary

Latrodectus is a downloader first seen in the wild in late 2023.  It has been used by threat actors who operate as initial access brokers (IAB).

Key Takeaways

  • Latrodectus is a downloader first seen in the wild in late 2023. 
  • It has been used by threat actors who operate as initial access brokers (IAB),  TA577 and TA578.
  • The malware has been used in IcedID campaigns and was likely developed by the same individuals responsible for IcedID

What is Latrodectus?

Latrodectus is a downloader first seen in the wild in late 2023. While the malware was used in multiple email threat campaigns in December and January, it became more prominently used in February and March 2024. It has been used by threat actors who operate as initial access brokers (IAB). ProofPoint, who collaborated with Team Cymru on the research, recently reported on Latrodectus. 

ProofPoint noted Latrodectus has been used in IcedID campaigns and was likely developed by the same individuals responsible for IcedID. Latrodectus has been used by at least two threat actor groups, TA577 and TA578. TA577 was observed using Latrodectus in three campaigns in late 2023. TA578 used Latrodectus in multiple email threat campaigns from December 2023 through early 2024 and has used it as their preferred initial access payload since late 2023. In a December campaign, TA578 used DanaBot to deliver Latrodectus. In February, TA578 was observed delivering Latrodectus by impersonating companies and sending bogus legal threats about alleged copyright infringement.

Latrodectus is capable of resolving Windows API functions dynamically by hash. It can also check for the presence of debuggers. Additionally, it gathers operating system information, checks running processes, and checks for an existing Latrodectus infection. Latrodectus installs itself then sets an AutoRun key and creates a scheduled task for persistence. It sends encrypted system information as a POST request to the C2 and downloads the bot, which in turn registers with the C2 and requests commands. Newer Latrodectus samples were modified to have a simplified string encryption routine. 

IOCs

PolySwarm has multiple samples of Latrodectus.

 

e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7

97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2

d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec

47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78

dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e

 

You can use the following CLI command to search for all Latrodectus samples in our portal:

$ polyswarm link list -f Latrodectus

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, IcedID, DanaBot, Downloader, Latrodectus, TA577, TA578, IAB, initial access broker

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More