A hacker in a hoodie surrounded by phishing hooks, targeting email, credit card, and secure data.

Latrodectus: A New Phishing Threat to Replace IcedID?

Latrodectus is at the forefront of current cybersecurity advancements, with experts reporting an increase in email phishing efforts that distribute this new malware loader. This malware is emerging as an alternative to the infamous IcedID malware, causing major concern among cybersecurity professionals.

Cybercriminals are increasingly using the malware loader LATRODECTUS. The malware series is new; however, it is quite like IcedID. Both feature a command handler for downloading and executing encrypted payloads.

LATRODECTUS offers conventional malware capabilities for deploying payloads such as QakBot, DarkGate, and PikaBot. This allows threat actors to engage in a variety of post-exploitation actions.

Elastic Security Labs reported an increase in LATRODECTUS-delivering email campaigns beginning in early March 2024. These advertisements frequently employ an outdated attack approach, which involves large JavaScript files. These files use WMI to launch msiexec.exe, which installs an MSI file stored on a WEBDAV share.

Phishing emails to payload deployment in the Latrodectus Malware attack chain
Phishing emails to payload deployment in the Latrodectus Malware attack chain

The attack chain begins with phishing emails masquerading as QuickBooks bills. These emails ask users to install Java by clicking an embedded link that takes them to a malicious Java archive (JAR) file. This JAR file contains a PowerShell script that downloads and launches DarkGate using an AutoIT script.

Social engineers are also utilising a new phishing-as-a-service (PhaaS) platform called Tycoon. This software gathers Microsoft 365 and Gmail session cookies while avoiding multi-factor authentication (MFA) security measures.

March 2024 saw the discovery of enhanced social engineering tactics. These tactics involved using fake Google advertising for Calendly and Rufus to deploy a new malware loader called D3F@ck Loader.

D3F@ck Loader, discovered on cybercrime forums in January 2024, is used by attackers to spread Raccoon Stealer and DanaBot. The malware obfuscates its source code and poses as authentic program libraries. Additionally, it carries out anti-analysis checks to prevent execution in sandboxed or debugging settings.

Latrodectus uses a scheduled job to establish persistence on Windows hosts. For command-and-control (C2) purposes, it starts an HTTPS connection with a C2 server. With the use of these commands, it can run executable files, DLLs, shellcode, and gather system information. It can also update, restart, and terminate itself.

Since its emergence late last year, two new commands have been added to the malware: it can list files in the desktop directory with one command, and it can retrieve the entire ongoing process history from the compromised system with another.

Furthermore, Latrodectus includes a command (ID 18) for downloading and running IcedID from the C2 server. Elastic, however, stated that it hasn’t seen similar activity in the wild.

Recent variants of malware include Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer. Simultaneously, the Remcos remote access trojan (RAT) is now leveraging a PrivateLoader module to enhance its ability to attack. The rise of Latrodectus and other complex malware highlights the ever-changing risk landscape.

Cybersecurity experts must remain vigilant and continually update their systems to counter these sophisticated threats. Mitigating risks associated with social engineering tactics and developing viruses requires awareness and proactive steps.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks. 

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.

Recent posts