1. Home
  2. Software
  3. Latrodectus

Latrodectus

Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.[1][2][3]

ID: S1160
Associated Software: IceNova, Unidentified 111
Type: MALWARE
Platforms: Windows
Contributors: Riku Katsuse, NEC Corporation; Sareena Karapoola, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Cris Tomboc, Truswave SpiderLabs
Version: 1.0
Created: 16 September 2024
Last Modified: 30 September 2024
Version Permalink

Associated Software Descriptions

Name Description
IceNova

[2]
Unidentified 111

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Latrodectus can run C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain to identify domain administrator accounts.[4]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Latrodectus can send registration information to C2 via HTTP POST.[1][4][3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Latrodectus can set an AutoRun key to establish persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

The Latrodectus command handler can use cmdexe to run multiple discovery commands.[4][3]
.007 Command and Scripting Interpreter: JavaScript

Latrodectus has used JavaScript files as part its infection chain during malicious spam email campaigns.[4][3][5]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Latrodectus has Base64-encoded the message body of a HTTP request sent to C2.[1][4]
Enterprise T1005 Data from Local System

Latrodectus can collect data from a compromised host using a stealer module.[3]
Enterprise T1622 Debugger Evasion

Latrodectus has the ability to check for the presence of debuggers.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Latrodectus has the ability to deobfuscate encrypted strings.[1][4][3]
Enterprise T1482 Domain Trust Discovery

Latrodectus can run C:\Windows\System32\cmd.exe /c nltest /domain_trusts to discover domain trusts.[4][3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Latrodectus can send RC4 encrypted data over C2 channels.[1][4][3]
Enterprise T1041 Exfiltration Over C2 Channel

Latrodectus can exfiltrate encrypted system information to the C2 server.[1][3]
Enterprise T1083 File and Directory Discovery

Latrodectus can collect desktop filenames.[1][3][4]
Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Latrodectus can delete itself while its process is still running through the use of an alternate data stream.[4]
Enterprise T1070 .004 Indicator Removal: File Deletion

Latrodectus has the ability to delete itself.[4][3]
Enterprise T1105 Ingress Tool Transfer

Latrodectus can download and execute PEs, DLLs, and shellcode from C2.[1][4][3]
Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.[4][3]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Latrodectus has been packed to appear as a component to Bitdefenderā€™s kernel-mode driver, TRUFOS.SYS.[4]
Enterprise T1104 Multi-Stage Channels

Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.[1]
Enterprise T1106 Native API

Latrodectus has used multiple Windows API post exploitation including GetAdaptersInfo, CreateToolhelp32Snapshot, and CreateProcessW.[4][3]
Enterprise T1135 Network Share Discovery

Latrodectus can run C:\Windows\System32\cmd.exe /c net view /all to discover network shares.[4][3]
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.[4]
.002 Obfuscated Files or Information: Software Packing

The Latrodectus payload has been packed for obfuscation.[4]
.007 Obfuscated Files or Information: Dynamic API Resolution

Latrodectus can resolve Windows APIs dynamically by hash.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.[1][4][3]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Latrodectus can identify domain groups through cmd.exe /c net group "Domain Admins" /domain.[3][4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Latrodectus has been distributed through reply-chain phishing emails with malicious attachments.[2]
.002 Phishing: Spearphishing Link

Latrodectus has been distributed to victims through emails containing malicious links.[1][2]
Enterprise T1057 Process Discovery

Latrodectus can enumerate running processes including process grandchildren on targeted hosts.[1][4][3]
Enterprise T1021 .005 Remote Services: VNC

Latrodectus has routed C2 traffic using Keyhole VNC.[5]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Latrodectus can create scheduled tasks for persistence.[1][4][3]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Latrodectus has the ability to identify installed antivirus products.[4][3]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Latrodectus has called msiexec to install remotely-hosted MSI files.[1][2]
.011 System Binary Proxy Execution: Rundll32

Latrodectus can use rundll32.exe to execute downloaded DLLs.[4][2]
Enterprise T1082 System Information Discovery

Latrodectus can gather operating system information.[1][4][4][3]
Enterprise T1016 System Network Configuration Discovery

Latrodectus can discover the IP and MAC address of a targeted host.[4][3]
Enterprise T1033 System Owner/User Discovery

Latrodectus can discover the username of an infected host.[4]
Enterprise T1529 System Shutdown/Reboot

Latrodectus has the ability to restart compromised hosts.[4]
Enterprise T1204 .001 User Execution: Malicious Link

Latrodectus has been executed through malicious links distributed in email campaigns.[1][2]
.002 User Execution: Malicious File

Latrodectus has lured users into opening malicious email attachments for execution.[2]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.[1][4][3]
Enterprise T1102 Web Service

Latrodectus has used Google Firebase to download malicious installation scripts.[5]
Enterprise T1047 Windows Management Instrumentation

Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.[4][3]

Groups That Use This Software

ID Name References
G1037 TA577

[1]
G1038 TA578

[1][3]

References

  1. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  2. Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
  3. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  1. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  2. Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024.