Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware.

“These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI’s ability to invoke msiexec.exe and install a remotely-hosted MSI file, remotely hosted on a WEBDAV share,” Elastic Security Labs researchers Daniel Stepanic and Samir Bousseaden said.

Latrodectus comes with standard capabilities that are typically expected of malware designed to deploy additional payloads such as QakBot, DarkGate, and PikaBot, allowing threat actors to conduct various post-exploitation activities.

An analysis of the latest Latrodectus artifacts has revealed an extensive focus on enumeration and execution as well as the incorporation of a self-delete technique to delete running files.

The malware, besides masquerading as libraries associated with legitimate software, utilizes source code obfuscation and performs anti-analysis checks in order to prevent its execution from proceeding further in a debugging or sandboxed environment.

Latrodectus also sets up persistence on Windows hosts using a scheduled task and establishes contact with a command-and-control (C2) server over HTTPS to receive commands that allow it to collect system information; update, restart, and terminate itself; and run shellcode, DLL, and executable files.

Two new commands added to the malware since its emergence late last year include the ability to enumerate files in the desktop directory and retrieve the entire running process ancestry from the infected machine.

It further supports a command to download and execute IcedID (command ID 18) from the C2 server, although Elastic said it did not detect this behavior in the wild.

“There definitely is some kind of development connection or working arrangement between IcedID and Latrodectus,” the researchers said.

“One hypothesis being considered is that Latrodectus is being actively developed as a replacement for IcedID, and the handler (#18) was included until malware authors were satisfied with Latrodectus’ capabilities.”

The development comes as Forcepoint dissected a phishing campaign that makes use of invoice-themed email lures to deliver the DarkGate malware.

The attack chain begins with phishing emails posing as QuickBooks invoices, urging users to install Java by clicking on an embedded link that leads to a malicious Java archive (JAR). The JAR file acts as a conduit to run a PowerShell script responsible for downloading and launching DarkGate via an AutoIT script.

Social engineering campaigns have also employed an updated version of a phishing-as-a-service (PhaaS) platform called Tycoon to harvest Microsoft 365 and Gmail session cookies and bypass multi-factor authentication (MFA) protections.

“This new version boasts enhanced detection evasion capabilities that make it even harder for security systems to identify and block the kit,” Proofpoint said. “Significant alterations to the kit’s JavaScript and HTML code have been implemented to increase its stealthiness and effectiveness.”

These include obfuscation techniques to make the source code harder to understand and the use of dynamic code generation to tweak the code every time it runs, thus evading signature-based detection systems.

Other social engineering campaigns detected in March 2024 have taken advantage of Google ads impersonating Calendly and Rufus to propagate another malware loader known as D3F@ck Loader, which first emerged in cybercrime forums in January 2024, and ultimately drop Raccoon Stealer and DanaBot.

“The case of D3F@ck Loader illustrates how malware-as-a-service (MaaS) continues to evolve, utilizing [Extended Validation] certificates to bypass trusted security measures,” cybersecurity company eSentire noted late last month.

The disclosure also follows the emergence of new stealer malware families like Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer, even as the Remcos remote access trojan (RAT) has been spotted using a PrivateLoader module to augment its capabilities.

“By installing VB scripts, altering the registry, and setting up services to restart the malware at variable times or by control, [Remcos] malware is able to infiltrate a system completely and remain undetected,” the SonicWall Capture Labs threat research team said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.