Latrodectus

Malware updated 2 months ago (2024-11-29T14:53:31.002Z)

Download STIX

Preview STIX

Latrodectus, a harmful malware discovered in late 2023, has been gaining momentum among threat actors, with a significant increase in activity noted throughout February and March. This malicious software is being employed by initial access brokers (IABs) in email threat campaigns and uses MSI files to execute payloads, a technique also adopted by adversaries such as DarkGate. Researchers from Proofpoint and Team Cymru S2 Threat Research Team predict that Latrodectus will continue to gain traction due to its effective sandbox evasion techniques, which hinder researchers and defenders' efforts to analyze samples. Although initially thought to be a variant of the well-known IcedID malware, further analysis revealed that Latrodectus is a distinct entity. However, it shares similar characteristics with IcedID, leading researchers to conclude that both were likely created by the same developers. The malware, named after a string of code found during analysis, has been used in campaigns hosted on domains such as peronikilinfer[.]com and jkbarmossen[.]com, serving as Command and Control servers (C2s) for both IcedID and Latrodectus. This indicates a shared resource pool across these malware families. The recent campaign by LUNAR SPIDER utilized Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Indicators of compromise (IoCs) related to Latrodectus have been identified and aggregated on the Pulsedive platform, providing valuable data for ongoing cybersecurity efforts. To counteract this threat, it is recommended to continue user awareness training since Latrodectus requires user execution. In conclusion, Latrodectus is a relatively new loader that has been observed within the threat landscape and leveraged by multiple threat actors.

Description last updated: 2024-11-15T16:06:10.381Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
IcedID is a possible alias for Latrodectus. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	5
Pikabot is a possible alias for Latrodectus. Pikabot is a malicious software (malware) that has been used extensively by various threat groups to exploit and damage computer systems. Initially, the BlackBasta group used phishing and vishing to deliver malware types such as DarkGate and Pikabot but quickly sought alternatives for further malici	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Windows

Phishing

Ransomware

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Qbot Malware is associated with Latrodectus. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23	Unspecified	4

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA577 Threat Actor is associated with Latrodectus. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall	Unspecified	4

Source Document References

Information about the Latrodectus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Pulsedive	a month ago	Pulsedive Blog \| 2024 In Review
Contagio	3 months ago	2024-10-30 Lunar Spider's Latrodectus JS loader samples
InfoSecurity-magazine	3 months ago	Netskope Reports Possible Bumblebee Loader Resurgence
Pulsedive	8 months ago	Pulsedive Blog \| Latrodectus Threat Research
InfoSecurity-magazine	10 months ago	New Malware “Latrodectus” Linked to IcedID
BankInfoSecurity	10 months ago	Sophisticated Latrodectus Malware Linked to 2017 Strain
DARKReading	10 months ago	Latrodectus Downloader Picks Up Where QBot Left Off
Malware-traffic-analysis.net	a year ago	Malware-Traffic-Analysis.net - 2024-02-09, 02-22 and 02-23 - Data dump: Latrodectus from Contact Forms campaign