Threat Research

Latrodectus: A Year of Development – VMRay

Securonix

Latrodectus is an actively developed loader/downloader family that emerged following the takedown of IcedID and has quickly evolved through many small iterations, adding and removing features while introducing stronger string encryption and C2 capabilities. VMRay’s platform detects all known versions through behavioral coverage and can extract malware configuration such as C2 URLs, RC4/AES keys, and version/group identifiers. #Latrodectus #IcedID #VMRay #OperationEndgame #Windows

Keypoints

  • Latrodectus is a loader/downloader that appears to be a successor to the IcedID family and can even fetch an IcedID loader via a C2 command.
  • Distribution follows a chain from JavaScript to MSI droppers and finally to a core DLL that exposes four identical exports which run the same logic.
  • The family has evolved rapidly (versions v1.1a → v1.8), changing string encryption from XOR to rolling XOR and finally to AES-256 (CTR) with per-string IVs and a hardcoded key.
  • It implements several sandbox-evasion checks: process count thresholds based on OS version, MAC address validation, PEB BeingDebugged flag checks, and WOW64 detection.
  • Persistence is achieved by copying to %APPDATA% with a hardware-ID-based filename and creating a scheduled task via COM (names observed: “Updater” and “anxiety”); a mutex “runnung” prevents reinfection.
  • Network behavior includes an initial RC4-encrypted, base64-encoded POST with a fixed User-Agent and a C2 command handler that accepts multiple commands and subcommands.
  • VMRay provides YARA rules, VTIs, and configuration extraction (C2 URLs, version, mission/group IDs, RC4/AES keys) and detects all known Latrodectus samples up to v1.8.

MITRE Techniques

  • [T1055] Process Injection – The loader may use process injection to stealthily execute payloads. (‘Latrodectus may utilize process injection techniques to execute its payloads stealthily.’)
  • [T1071] Command and Control – Latrodectus communicates with remote C2 servers for check-ins and to receive commands and payloads. (‘Communicates with C2 servers to receive further commands and updates.’)
  • [T1547] Persistence – The malware creates scheduled tasks via the Component Object Model (COM) interface to achieve persistence. (‘Creates scheduled tasks using the Component Object Model (COM) for persistence.’)
  • [T1003] Credential Dumping – The malware may attempt to gather credentials during operation (potential capability). (‘May attempt to gather credentials during its operation.’)
  • [T1486] Data Encrypted – Latrodectus encrypts internal strings and configuration data, evolving from XOR to AES-256 CTR for better protection. (‘Utilizes encryption methods to obscure its internal strings and configuration data.’)

Indicators of Compromise

  • [C2 URLs] Network command-and-control endpoints observed – hxxps://antyparkov[.]site/live/, hxxps://aytobusesre[.]com/live/, and 25+ other URLs.
  • [Mutex] Execution guard to avoid reinfection – ‘runnung’.
  • [Scheduled task names] Persistence via scheduler – ‘Updater’, ‘anxiety’.
  • [Persistence file names] Drop locations and naming pattern – %APPDATA%falsify_stewardconfrontation_XXXXXXXX.dll, %APPDATA%Custom_updateUpdate_XXXXXXXX.dll.
  • [RC4/AES keys] Encryption keys used for C2 and strings – example RC4 keys: ‘12345’, ‘2sDbsEUXvhgLOO4Irt8AF6el3jJ0M1MowXyao00Nn6ZUjtjXwb’, and several others.
  • [Group/Campaign IDs] Campaign identifiers embedded in C2 traffic and samples – examples: ‘Alpha’ (v1.8), ‘Delta’ (v1.5), and other named groups.
  • [Versions] Observed loader versions – v1.1a, v1.1b, v1.2, v1.3, v1.4, v1.5, v1.7, v1.8.

Latrodectus first surfaced as an actively developed loader/downloader with clear lineage to the now-defunct IcedID family, which was disrupted after Operation Endgame. Researchers noted that the authors quickly iterated new builds—often making small adjustments or removing features—suggesting an intent to rapidly adapt around defensive countermeasures. Distribution typically starts with a JavaScript-based dropper that launches an MSI, which in turn delivers a DLL payload. Those DLLs commonly export four distinct names that nevertheless point to the same export address and execute identical core logic when invoked.

The family’s development history spans roughly a year, beginning in late September 2023 and advancing through multiple versions up to v1.8 at the time of analysis. Early releases used a pseudo-random generator (PRNG) and XOR-based string decryption, but subsequent revisions simplified the approach to a rolling XOR. Beginning with v1.4, authors adopted AES-256 in CTR mode: a hardcoded key resides in the .text section while each encrypted string is preceded by a two-byte length and a unique 16-byte IV in the .data section. Despite changes in the algorithm, the storage layout of encrypted strings has remained broadly consistent, which allowed defenders to create extraction tooling targeting all current versions.

To avoid sandbox and analysis environments, Latrodectus implements multiple evasive checks. It queries the OS version (RtlGetVersion or GetVersionExW) and enforces a minimum number of running processes—at least 75 on Windows 10/11 or 50 on older Windows versions—terminating if thresholds aren’t met. Network adapter information is enumerated via GetAdaptersInfo to validate MAC address lengths; adapters not reporting 6-byte hardware addresses cause the loader to exit. The malware also reads the Process Environment Block (PEB) to inspect the BeingDebugged flag rather than calling IsDebuggerPresent(), and it verifies whether the process runs under WOW64, exiting if so. These combined checks make naive sandboxing and debugging less effective, though targeted environments can counteract the process-count check by simulating background processes.

At runtime the loader resolves required system libraries by traversing the PEB to find kernel32.dll and ntdll.dll base addresses, loads additional modules with LoadLibraryW, and then identifies functions using CRC32-based API hashing rather than clear-text names. The authors rely on CRC32 checksums to match exported function names, a pattern that defenders can reverse using hash lookup tools such as HashDB.

For persistence, Latrodectus first determines whether it is already running from an %APPDATA% path; if not, it copies itself to a filename containing a hardware-derived identifier—older builds used a Custom_updateUpdate_XXXXXXXX.dll pattern while newer samples use falsify_stewardconfrontation_XXXXXXXX.dll. The XXXXXXXX portion is populated with a hardware ID computed from the volume serial number multiplied by a constant (0x19660D). Instead of invoking command-line schedulers or standard APIs, the malware leverages COM to create an ITaskService object and register a scheduled task in the root scheduler folder; task names observed include “Updater” and “anxiety”, and they launch at user logon. To prevent multiple infections on the same host, the loader creates and checks for a mutex with the hardcoded name ‘runnung’.

Latrodectus also constructs unique identifiers sent to C2 during initial check-ins. The GUID parameter uses the hardware ID derived from the volume serial number and the constant multiplier, while a separate group or campaign ID appears as a decimal &group= parameter. Analysts discovered the group IDs are stored encrypted inside samples and that the client computes an FNV-1a hash from the campaign name; defenders have reverse-engineered this approach by brute-forcing likely English alphabet combinations and comparing their FNV-1a 32-bit results, accepting that hash collisions could occasionally complicate identification.

The loader’s self-cleanup routine can delete currently running executables by calling SetFileInformationByHandle and setting FileDispositionInfo to remove the primary data stream—a technique that has been used by other families and has a public proof‑of‑concept implementation. VMRay developed a detection rule (VTI) to identify this ADS self-deletion behavior and other actions that would otherwise evade static checks.

Network behavior begins with an initial POST check-in using a consistent User-Agent string: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)”. The POST payload contains system-collected parameters and embedded sample metadata; these fields are RC4-encrypted and base64-encoded in transit, but VMRay’s platform captures and logs the decrypted values in function-level traces. The C2 command handler supports multiple command IDs and subcommands that allow the server to instruct the loader to perform additional actions, including downloading arbitrary files into %APPDATA% and even fetching an IcedID loader sample in some cases.

VMRay responded by adding layered coverage: YARA rules that detect the family broadly and version-specific rules for more precise identification, threat identifiers to catch behaviors like ADS self-deletion, and automated malware configuration extraction to pull C2 URLs, version and mission IDs, RC4 keys, and AES keys (for v1.4–v1.8). The platform currently detects all Latrodectus versions observed up to v1.8 and reports the extracted configuration elements to customers to aid incident response and hunting.

In conclusion, Latrodectus is a fast-evolving loader that blends mature evasion techniques with iterative changes in encryption and functionality. The authors’ frequent small revisions indicate a strategy of rapid adaptation—possibly to refine features or to stay ahead of defensive measures—and defenders should expect further updates or a major version change in the future. Continued telemetry collection, YARA and behavioral rule updates, and configuration extraction will be essential to maintain detection and response capabilities against this active threat.

Read more: https://www.vmray.com/latrodectus-a-year-in-the-making/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint