A new form of malware called "Latrodectus" was likely developed by the makers of banking trojan IcedID and was observed incorporating sandbox evasion techniques to launch impersonation campaigns that lead to victims downloading malicious payloads.
Proofpoint researchers said in an April 4 blog post that they anticipated Latrodectus will become increasingly used by threat actors, especially by those who previously delivered IcedID.
“Latrodectus’ attempts to incorporate sandbox evasion functionality aligns with the trend overall in the cybercrime threat landscape that malware authors are increasingly trying to bypass defenders and ensure only potential victims receive the payload,” wrote the researchers. “Proofpoint has observed similar attempts from other notable malware used by IABs, including Pikabot and WikiLoader.”
While Proofpoint observed attacks launched by TA577 late last year, the researchers said Latrodectus has been almost exclusively distributed by TA578 since mid-January.
Proofpoint said this actor typically uses contact forms to initiate a conversation with a target. On Feb. 20, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about alleged copyright infringement. If a link on the impersonated site was visited, the victim was redirected to a landing page personalized to display both the victim’s domain and the name of the impersonated company reporting the copyright infringement. The URL then downloads a malicious JavaScript file from a Google Firebase URL.
Did Latrodectus emerge as a response to 2023 crackdown on Qbot?
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, added that Latrodectus emerged in late 2023 following a government crackdown on Qbot infrastructure, one of the oldest malware campaigns in the wild that has been active since 2007.
“Battling eCrime is similar to moving a couch where roaches live, they simply run to another piece of furniture or room nearby to seek harbor and continue business as normal, despite any actions taken by the homeowner,” said Dunham. “Latrodectus has powerful components upon its emergence, capable of defeating sandboxes, and use of RC4 encrypted command-and-control communications. It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023.”
Lactrodectus and IcedID share many similarities, such as the way they communicate to their C2, and even commands such as "cmd_run_icedid" that downloads and runs bp.dat, the IcedID bot, explained Adam Neel, threat detection engineer at Critical Start.
Neel said it’s becoming clear that Lactrodectus isn't too different from IcedID, but it does demonstrate sandbox evasion tactics not utilized by previous IcedID loaders. After initialization, Neel said the malware will check it's environment to confirm that it’s not running in a sandbox by confirming the amount of running processes on the device, then checking to make sure it is running on a 64-bit host. Lastly, the malware looks to see if the host has a valid MAC address.
“These sandbox evasion techniques can slow down researchers and defenders from analyzing samples of Latrodectus,” said Neel. “Overall Latrodectus is still similar to IcedID, but it’s important for researchers to keep an eye on it as it continues to evolve. It’s possible that this is not the last form of Latrodectus and it could continue to grow and differentiate itself from IcedID more in the future.”