Malicious Latrodectus Downloader Picks Up Where QBot Left Off

  /     /     /  
Publicated : 23/11/2024   Category : security


Malicious Latrodectus Downloader Picks Up Where QBot Left Off


Initial access brokers are using the new downloader malware, which emerged just after QBots 2023 disruption.



At first, analysts thought the downloader was a variant of well-known malware IcedID — but it turns out Latrodectus is something new altogether.
The malware is being used by initial access brokers (IABs) in email threat campaigns, and researchers behind the discovery at Proofpoint and Team Cymru S2 Threat Research Team predict Latrodectus will continue gaining momentum among threat actors. Thats due in large part to its ability to evade sandbox detection, the researchers said.
After initialization the malware will check its environment to confirm that it is not running in a sandbox by confirming the amount of running processes on the device, then checking to make sure it is running on a 64-bit host, and lastly the malware looks to see if the host has a valid MAC address, according to a statement from Adam Neel, threat detection engineer at Critical Start. These sandbox evasion techniques can slow down researchers and defenders from analyzing samples of Latrodectus.
First discovered in late 2023, theres been a distinct uptick in threat activity using the new loader throughout February and March, the report warned.
Although its not a
variant of IcedID
, the researchers found Latrodectus — named after a string of code found during analysis — does have similar characteristics, leading the team to conclude both were created by the same developers.
The first group using Latrodectus in November 2023 was
TA577
, and it has been relying on it almost exclusively since mid-January 2024, the report said. Prior to picking up Latrodectus, the adversary group was using IcedID, it added.
In February, researchers discovered another group, TA578, was distributing Latrodectus in a campaign that sent threats of legal action for copyright infringement as phishing lures.
The new Latrodectus downloader is positioned to fill the void left by the
takedown of QBot malware
(also known as Qakbot) in the summer of 2023, according to a statement by Ken Dunham, cyber threat director at Qualys Threat Research Unit.
TA577 and other actors are affiliated with Qbot and now, a new malware campaign, Latrodectus, Dunham explained. It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023.
Awareness of Latrodectus actively being used in email campaigns, along with vigilance, will help enterprises defend against the upgraded downloader, experts advise. The
new Latrodectus report
provides tactics, techniques, and procedures to help.
It is possible that this is not the last form of Latrodectus and it could continue to grow and differentiate itself from IcedID more in the future, Neel added. Latrodectus is currently being distributed via email campaigns, so the need for phishing awareness continues to be incredibly important.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Malicious Latrodectus Downloader Picks Up Where QBot Left Off