Cybersecurity researchers observed a significant increase in phishing campaigns distributing a new malware loader called Latrodectus, which is anticipated to succeed the IcedID malware. These campaigns typically use oversized JavaScript files that leverage Windows Management Instrumentation (WMI) to invoke msiexec.exe and install a remotely-hosted MSI file. Latrodectus is equipped with capabilities to deploy additional payloads, including QakBot, DarkGate, and PikaBot, enabling threat actors to perform various post-exploitation activities.
The latest analyses of Latrodectus artifacts reveal a focus on enumeration, execution, and a self-delete technique to remove running files. The malware masquerades as libraries associated with legitimate software, employs source code obfuscation, and performs anti-analysis checks to avoid detection in debugging or sandboxed environments. Persistence on Windows hosts is achieved through scheduled tasks, and the malware communicates with a command-and-control (C2) server over HTTPS to receive commands for collecting system information, updating, restarting, and executing files.
Notably, two new commands have been added since its emergence: one for enumerating files in the desktop directory and another for retrieving the entire running process ancestry from the infected machine. Latrodectus also has a command to download and execute IcedID, although this behavior has not been observed in the wild. The development suggests a possible collaboration or transition from IcedID to Latrodectus, indicating the latter’s evolving role in cyber threat landscapes.
Reference:
