A new strain of malware dubbed Latrodectus is swiftly supplanting its predecessor, IcedID, in network breaches, according to recent findings by cybersecurity researchers. Initially detected in November 2023, Latrodectus represents an evolution of IcedID, boasting enhanced capabilities and a more sophisticated approach to infiltration. Security experts from Proofpoint and Team Cymru have observed a surge in Latrodectus deployments, particularly noteworthy in February and March 2024, signaling a shift in tactics among threat actors.
Perpetrators behind Latrodectus attacks, specifically tracked as TA577 and TA578, have devised intricate methods to initiate breaches, including leveraging fake copyright infringement notices sent through online contact forms to targeted organizations. These notices lead victims to Google Firebase URLs hosting JavaScript files, which, when executed, deploy Latrodectus via Windows installer from a WebDAV share. Unlike IcedID, Latrodectus incorporates elaborate sandbox evasion checks to avoid detection, ensuring successful infiltration into targeted systems.
The malware’s sophistication extends beyond infiltration, as Latrodectus acts as a versatile downloader, capable of retrieving additional malicious payloads from command and control (C2) servers. Its command repertoire includes gathering system information, executing files and DLLs, downloading and executing new payloads, and resetting communication variables to evade detection. Furthermore, the malware’s infrastructure operates on a dynamic model, with new C2 servers coming online towards the end of each week, indicating a calculated approach by threat actors to prolong campaign lifespans.
As Latrodectus gains prominence in cybercrime circles, cybersecurity experts issue a cautionary warning about its potential proliferation. With a high likelihood of being adopted by multiple threat actors who previously distributed IcedID, Latrodectus poses a significant and evolving threat to organizations worldwide. Vigilance and proactive security measures are paramount to mitigate the risks posed by this emerging malware strain and safeguard against network breaches.
