How copyright infringement leads to system infection.
Proofpoint and Team Cymru discovered a new virus called Latrodectus, which is considered an evolution of the well-known IcedID downloader, which has been actively used in phishing mailings since November 2023.
IcedID, first identified in 2017, was classified as a modular banking Trojan designed to steal financial information from infected computers. Over time, it has become more complex, gaining the ability to evade detection and execute commands.
IcedID has recently evolved into a downloader for delivering other types of malware, including ransomware. And in February 2024, one of the leaders of the IcedID campaign pleaded guilty in a US federal court, facing up to 20 years in prison on each of the charges.
According to research by Proofpoint and Team Cymru, there are certain links between IcedID and Latrodectus, including similarities in infrastructure and operations, which suggests that the latter was created by the developers of IcedID.
IcedID and Latrodectus infrastructure overlap
Latrodectus is a loader capable of receiving additional malicious payloads from the C2 server. The virus also performs various checks to avoid detection, including requiring the number of running processes depending on the version of Windows and checking for a valid MAC address.
Among others, Latrodectus supports the following commands:
An attacker initiates an attack by filling out feedback forms and notifying the target organization of copyright infringement. In the message, the hacker also leaves a link that leads the victim to the Google Firebase page, where the malicious JavaScript file is downloaded. The file then uses the Windows Installer to run an MSI file containing the malicious Latrodectus library.
Decoy message about copyright infringement
The virus's infrastructure is divided into two layers, which gives it flexibility in managing campaigns and their expiration dates. New C2 servers are especially active at the end of the week before attacks.
Based on the research conducted, Proofpoint experts express concern about the future use of Latrodectus in cybercrime campaigns, given its advanced evasion capabilities and malicious load. It is believed that the probability of Latrodectus spreading among cybercriminals who previously used IcedID remains high.
Proofpoint and Team Cymru discovered a new virus called Latrodectus, which is considered an evolution of the well-known IcedID downloader, which has been actively used in phishing mailings since November 2023.
IcedID, first identified in 2017, was classified as a modular banking Trojan designed to steal financial information from infected computers. Over time, it has become more complex, gaining the ability to evade detection and execute commands.
IcedID has recently evolved into a downloader for delivering other types of malware, including ransomware. And in February 2024, one of the leaders of the IcedID campaign pleaded guilty in a US federal court, facing up to 20 years in prison on each of the charges.
According to research by Proofpoint and Team Cymru, there are certain links between IcedID and Latrodectus, including similarities in infrastructure and operations, which suggests that the latter was created by the developers of IcedID.
IcedID and Latrodectus infrastructure overlap
Latrodectus is a loader capable of receiving additional malicious payloads from the C2 server. The virus also performs various checks to avoid detection, including requiring the number of running processes depending on the version of Windows and checking for a valid MAC address.
Among others, Latrodectus supports the following commands:
- Get file names on the desktop;
- Get a list of running processes;
- Send additional information about the system;
- Run the executable file;
- Run the DLL;
- End the running process.
An attacker initiates an attack by filling out feedback forms and notifying the target organization of copyright infringement. In the message, the hacker also leaves a link that leads the victim to the Google Firebase page, where the malicious JavaScript file is downloaded. The file then uses the Windows Installer to run an MSI file containing the malicious Latrodectus library.
Decoy message about copyright infringement
The virus's infrastructure is divided into two layers, which gives it flexibility in managing campaigns and their expiration dates. New C2 servers are especially active at the end of the week before attacks.
Based on the research conducted, Proofpoint experts express concern about the future use of Latrodectus in cybercrime campaigns, given its advanced evasion capabilities and malicious load. It is believed that the probability of Latrodectus spreading among cybercriminals who previously used IcedID remains high.
