Key Takeaways
What is Latrodectus?
ProofPoint noted Latrodectus has been used in IcedID campaigns and was likely developed by the same individuals responsible for IcedID. Latrodectus has been used by at least two threat actor groups, TA577 and TA578. TA577 was observed using Latrodectus in three campaigns in late 2023. TA578 used Latrodectus in multiple email threat campaigns from December 2023 through early 2024 and has used it as their preferred initial access payload since late 2023. In a December campaign, TA578 used DanaBot to deliver Latrodectus. In February, TA578 was observed delivering Latrodectus by impersonating companies and sending bogus legal threats about alleged copyright infringement.
Latrodectus is capable of resolving Windows API functions dynamically by hash. It can also check for the presence of debuggers. Additionally, it gathers operating system information, checks running processes, and checks for an existing Latrodectus infection. Latrodectus installs itself then sets an AutoRun key and creates a scheduled task for persistence. It sends encrypted system information as a POST request to the C2 and downloads the bot, which in turn registers with the C2 and requests commands. Newer Latrodectus samples were modified to have a simplified string encryption routine.
IOCs
PolySwarm has multiple samples of Latrodectus.
e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7
97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2
d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec
47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78
dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e
You can use the following CLI command to search for all Latrodectus samples in our portal:
$ polyswarm link list -f Latrodectus
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.