小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中

admin 2024年4月10日10:28:10评论14 views字数 4400阅读14分40秒阅读模式

小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中

Threat hunters have discovered a new malware called Latrodectus that has been distributed as part of email phishing campaigns since at least late November 2023.


"Latrodectus is an up-and-coming downloader with various sandbox evasion functionality," researchers from Proofpoint and Team Cymru said in a joint analysis published last week, adding it's designed to retrieve payloads and execute arbitrary commands.

"Latrodectus是一种新兴的下载器,具有各种沙箱逃避功能,"Proofpoint和Team Cymru的研究人员在上周发布的联合分析中说,该下载器旨在检索有效载荷并执行任意命令。

There is evidence to suggest that the downloader is likely written by the same threat actors behind the IcedID malware, with the downloader put to use by initial access brokers (IABs) to facilitate the deployment of other malware.


Latrodectus has been primarily linked to two different IABs tracked by Proofpoint under the names TA577 (aka Water Curupira) and TA578, the former of which has also been linked to the distribution of QakBot and PikaBot.

Latrodectus主要与Proofpoint跟踪的两个不同IABs相关联,分别称为TA577(又名Water Curupira)和TA578,前者还与QakBot和PikaBot的分发相关联。

As of mid-January 2024, it's been employed almost exclusively by TA578 in email threat campaigns, in some cases delivered via a DanaBot infection.


TA578, known to be active since at least May 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee.

TA578自2020年5月至少活动以来,已被证实与通过电子邮件传送Ursnif,IcedID,KPOT Stealer,Buer Loader,BazaLoader,Cobalt Strike和Bumblebee相关的活动相关联。

Attack chains leverage contact forms on websites to send legal threats regarding alleged copyright infringement to targeted organizations. The links embedded in the messages direct the recipients to a bogus website to trick them into downloading a JavaScript file that's responsible for launching the main payload using msiexec.


"Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot," the researchers said. "Once the bot registers with the C2, it sends requests for commands from the C2."


小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中

It also comes with capabilities to detect if it's running in a sandboxed environment by checking if the host has a valid MAC address and there are at least 75 running processes on systems running Windows 10 or newer.

它还具有检测是否在沙箱环境中运行的能力,方法是检查主机是否具有有效的MAC地址,并且运行的Windows 10或更新版本的系统上至少有75个运行进程。

Like in the case of IcedID, Latrodectus is designed to send the registration information in a POST request to the C2 server where the fields are HTTP parameters stringed together and encrypted, after which it awaits further instructions from the server.


The commands allow the malware to enumerate files and processes, execute binaries and DLL files, run arbitrary directives via cmd.exe, update the bot, and even shut down a running process.


A further examination of the attacker infrastructure reveals that the first C2 servers came alive on September 18, 2023. These servers, in turn, are configured to communicate with an upstream Tier 2 server that was set up around August 2023.

对攻击者基础设施的进一步审查显示,第一批C2服务器于2023年9月18日启用。这些服务器又配置为与2023年8月左右建立的上游Tier 2服务器通信。

Latrodectus' connections to IcedID stems from the fact that the T2 server "maintains connections with backend infrastructure associated with IcedID" and use of jump boxes previously associated with IcedID operations.


The threat actors' shift to DarkGate, Latrodectus, and PikaBot over the past several months comes in the wake of a law enforcement operation that neutralized QakBot in late August 2023, although the malware has been deployed in low-volume campaigns as of December and there are indications that a new variant of the botnet is undergoing active development.


"Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID," Team Cymru assessed.

"Latrodectus将在犯罪格局中变得越来越受到财务动机的威胁行为者的青睐,尤其是那些以前分发IcedID的威胁行为者,"Team Cymru评估。





原文始发于微信公众号(知机安全):小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年4月10日10:28:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   小心'Latrodectus' - 这种恶意软件可能潜伏在您的收件箱中http://cn-sec.com/archives/2641947.html


匿名网友 填写信息