Latrodectus

Malware updated 8 months ago (2024-11-29T14:53:31.002Z)
Download STIX
Preview STIX
Latrodectus, a harmful malware discovered in late 2023, has been gaining momentum among threat actors, with a significant increase in activity noted throughout February and March. This malicious software is being employed by initial access brokers (IABs) in email threat campaigns and uses MSI files to execute payloads, a technique also adopted by adversaries such as DarkGate. Researchers from Proofpoint and Team Cymru S2 Threat Research Team predict that Latrodectus will continue to gain traction due to its effective sandbox evasion techniques, which hinder researchers and defenders' efforts to analyze samples. Although initially thought to be a variant of the well-known IcedID malware, further analysis revealed that Latrodectus is a distinct entity. However, it shares similar characteristics with IcedID, leading researchers to conclude that both were likely created by the same developers. The malware, named after a string of code found during analysis, has been used in campaigns hosted on domains such as peronikilinfer[.]com and jkbarmossen[.]com, serving as Command and Control servers (C2s) for both IcedID and Latrodectus. This indicates a shared resource pool across these malware families. The recent campaign by LUNAR SPIDER utilized Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Indicators of compromise (IoCs) related to Latrodectus have been identified and aggregated on the Pulsedive platform, providing valuable data for ongoing cybersecurity efforts. To counteract this threat, it is recommended to continue user awareness training since Latrodectus requires user execution. In conclusion, Latrodectus is a relatively new loader that has been observed within the threat landscape and leveraged by multiple threat actors.
Description last updated: 2024-11-15T16:06:10.381Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
IcedID is a possible alias for Latrodectus. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
5
Lumma Stealer is a possible alias for Latrodectus. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was di
2
Pikabot is a possible alias for Latrodectus. Pikabot is a malicious software (malware) that has been used extensively by various threat groups to exploit and damage computer systems. Initially, the BlackBasta group used phishing and vishing to deliver malware types such as DarkGate and Pikabot but quickly sought alternatives for further malici
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Windows
Domains
Ransomware
JavaScript
Phishing
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Qbot Malware is associated with Latrodectus. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
4
The Lumma Malware is associated with Latrodectus. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers reUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA577 Threat Actor is associated with Latrodectus. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicallUnspecified
4
Source Document References
Information about the Latrodectus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
4 days ago
Recorded Future
5 months ago
Pulsedive
6 months ago
Contagio
8 months ago
InfoSecurity-magazine
9 months ago
Pulsedive
a year ago
InfoSecurity-magazine
a year ago
BankInfoSecurity
a year ago
DARKReading
a year ago
Malware-traffic-analysis.net
a year ago