1. Home
  2. Software
  3. Latrodectus

Latrodectus

Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.[1][2][3]

ID: S1160
Associated Software: IceNova, Unidentified 111
Type: MALWARE
Platforms: Windows
Contributors: Riku Katsuse, NEC Corporation; Sareena Karapoola, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Cris Tomboc, Truswave SpiderLabs
Version: 1.0
Created: 16 September 2024
Last Modified: 30 September 2024

Associated Software Descriptions

Name Description
IceNova

[2]
Unidentified 111

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.[4][3]
Enterprise T1005 从本地系统获取数据

Latrodectus can collect data from a compromised host using a stealer module.[3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.[4]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Latrodectus can send RC4 encrypted data over C2 channels.[1][4][3]
Enterprise T1140 反混淆/解码文件或信息

Latrodectus has the ability to deobfuscate encrypted strings.[1][4][3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Latrodectus can set an AutoRun key to establish persistence.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

The Latrodectus command handler can use cmdexe to run multiple discovery commands.[4][3]
.007 命令与脚本解释器: JavaScript

Latrodectus has used JavaScript files as part its infection chain during malicious spam email campaigns.[4][3][5]
Enterprise T1482 域信任发现

Latrodectus can run C:\Windows\System32\cmd.exe /c nltest /domain_trusts to discover domain trusts.[4][3]
Enterprise T1104 多阶段信道

Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Latrodectus can send registration information to C2 via HTTP POST.[1][4][3]
Enterprise T1132 .001 数据编码: Standard Encoding

Latrodectus has Base64-encoded the message body of a HTTP request sent to C2.[1][4]
Enterprise T1083 文件和目录发现

Latrodectus can collect desktop filenames.[1][3][4]
Enterprise T1106 本机API

Latrodectus has used multiple Windows API post exploitation including GetAdaptersInfo, CreateToolhelp32Snapshot, and CreateProcessW.[4][3]
Enterprise T1069 .002 权限组发现: Domain Groups

Latrodectus can identify domain groups through cmd.exe /c net group "Domain Admins" /domain.[3][4]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.[4]
.002 混淆文件或信息: Software Packing

The Latrodectus payload has been packed for obfuscation.[4]
.007 混淆文件或信息: Dynamic API Resolution

Latrodectus can resolve Windows APIs dynamically by hash.[1]
.013 混淆文件或信息: Encrypted/Encoded File

Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.[1][4][3]
Enterprise T1204 .001 用户执行: Malicious Link

Latrodectus has been executed through malicious links distributed in email campaigns.[1][2]
.002 用户执行: Malicious File

Latrodectus has lured users into opening malicious email attachments for execution.[2]
Enterprise T1070 .004 移除指标: File Deletion

Latrodectus has the ability to delete itself.[4][3]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

Latrodectus has called msiexec to install remotely-hosted MSI files.[1][2]
.011 系统二进制代理执行: Rundll32

Latrodectus can use rundll32.exe to execute downloaded DLLs.[4][2]
Enterprise T1082 系统信息发现

Latrodectus can gather operating system information.[1][4][4][3]
Enterprise T1529 系统关机/重启

Latrodectus has the ability to restart compromised hosts.[4]
Enterprise T1033 系统所有者/用户发现

Latrodectus can discover the username of an infected host.[4]
Enterprise T1016 系统网络配置发现

Latrodectus can discover the IP and MAC address of a targeted host.[4][3]
Enterprise T1135 网络共享发现

Latrodectus can run C:\Windows\System32\cmd.exe /c net view /all to discover network shares.[4][3]
Enterprise T1102 网络服务

Latrodectus has used Google Firebase to download malicious installation scripts.[5]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.[1][4][3]
Enterprise T1622 调试器规避

Latrodectus has the ability to check for the presence of debuggers.[1]
Enterprise T1087 .002 账号发现: Domain Account

Latrodectus can run C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain to identify domain administrator accounts.[4]
Enterprise T1518 .001 软件发现: Security Software Discovery

Latrodectus has the ability to identify installed antivirus products.[4][3]
Enterprise T1105 输入工具传输

Latrodectus can download and execute PEs, DLLs, and shellcode from C2.[1][4][3]
Enterprise T1057 进程发现

Latrodectus can enumerate running processes including process grandchildren on targeted hosts.[1][4][3]
Enterprise T1559 .001 进程间通信: Component Object Model

Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.[4][3]
Enterprise T1021 .005 远程服务: VNC

Latrodectus has routed C2 traffic using Keyhole VNC.[5]
Enterprise T1041 通过C2信道渗出

Latrodectus can exfiltrate encrypted system information to the C2 server.[1][3]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Latrodectus has been distributed through reply-chain phishing emails with malicious attachments.[2]
.002 钓鱼: Spearphishing Link

Latrodectus has been distributed to victims through emails containing malicious links.[1][2]
Enterprise T1564 .004 隐藏伪装: NTFS File Attributes

Latrodectus can delete itself while its process is still running through the use of an alternate data stream.[4]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Latrodectus can create scheduled tasks for persistence.[1][4][3]

Groups That Use This Software

ID Name References
G1037 TA577

[1]
G1038 TA578

[1][3]

References

  1. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  2. Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
  3. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  1. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  2. Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024.