Threat Research

Latrodectus: This Spider Bytes Like Ice  | Proofpoint US

Proofpoint

Proofpoint and Team Cymru describe Latrodectus, a new downloader first seen in late Nov 2023 that performs sandbox-evasion checks, persists via registry and scheduled tasks, and communicates with C2 servers using RC4/base64-encoded HTTP POSTs. The malware is linked to threat actors TA577 and TA578 and shares infrastructure and developer overlap with historic IcedID operations. #Latrodectus #IcedID #TA577 #TA578

Keypoints

  • Latrodectus is a newly identified downloader observed since November 2023 that fetches and executes payloads and supports remote commands.
  • Initial distribution vectors include malspam with links/attachments (zipped JS/ISO/LNK), thread hijacking, and website contact-form lures that redirect to hosted JavaScript or MSI payloads.
  • Samples implement sandbox/virtualization checks (process counts, MAC address, 64-bit checks), debugger detection, dynamic API resolution by hash, and a persistent mutex (“runnung”).
  • Persistence is achieved via AutoRun registry keys and scheduled tasks; the loader ensures execution from a designated %AppData% path derived from a generated bot ID.
  • C2 protocol uses HTTP POST with RC4 encryption (key “12345”) and base64 encoding; the bot registers, posts system info, and supports commands to download/execute DLLs, EXEs, MSI, and optionally IcedID (“bp.dat”).
  • Team Cymru’s infrastructure analysis found Tier-1 C2s and an upstream Tier-2, with hosting choices and jumpboxes overlapping historic IcedID infrastructure, indicating shared operator activity.
  • Proofpoint used FNV-1a hashing on campaign ID strings to correlate campaign identifiers across IcedID/Latrodectus activity, aiding attribution to specific actor themes.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – used URLs in emails that redirected users to JavaScript or download landing pages (‘…The URLs led to the download of a JavaScript file.’).
  • [T1566.001] Phishing: Spearphishing Attachment – distributed zipped JavaScript and ISO attachments that contained LNKs or JS used to launch Latrodectus (‘…zipped JavaScript files or zipped ISO files.’).
  • [T1566.003] Phishing: Spearphishing via Service – actor-initiated contact-form submissions impersonated companies to deliver personalized landing pages and payload links (‘…the actor filled out a contact form on multiple targets’ websites…’).
  • [T1204.002] User Execution: Malicious File – LNK files embedded in ISO archives were used to execute the embedded Latrodectus DLL (‘…LNK file used to execute the embedded DLL, Latrodectus.’).
  • [T1105] Ingress Tool Transfer – payload delivery via WebDAV, Google Firebase and direct download URLs (MSI/DLL/JS) to transfer malicious binaries (‘…it called MSIEXEC to run an MSI from a WebDAV share.’).
  • [T1059.003] Command and Scripting Interpreter (Windows cmd) – JavaScript dropped and executed BAT files that used curl to fetch and run DLLs (‘…the JavaScript created and ran several BAT files that leveraged curl to execute a DLL…’).
  • [T1497] Virtualization/Sandbox Evasion – environment checks for process counts, 64-bit host, and valid MAC address to detect sandboxes (‘…If Windows 10 or newer, have at least 75 running processes…Ensure the host has a valid MAC address’).
  • [T1027] Obfuscated Files or Information – string encryption and custom PRNG/rolling XOR routines and RC4 obfuscation of C2 traffic (‘…RC4 encrypted with the key “12345”. This key has been consistent across all samples analyzed to date.’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – sets an AutoRun registry key to persist across reboots (‘…attempt to install itself, set an AutoRun key…’).
  • [T1053.005] Scheduled Task/Job – creates scheduled tasks for persistence (‘…and create a scheduled task for persistence.’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications use HTTP POST with base64-encoded RC4 payloads for registration and command retrieval (‘…sends the registration information in a POST request…RC4 encrypted…base64 encoded and sent to the C2 in the HTTP body.’).
  • [T1041] Exfiltration Over C2 Channel – posts encrypted system information to the C2 and later requests additional modules (‘…will then post encrypted system information to the command and control server (C2) and request the download of the bot.’).

Indicators of Compromise

  • [File Hash – DLL/JS/MSI/EXE] observed payload hashes – e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7, bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241, and dozens more hashes.
  • [C2 domains] Latrodectus command/update domains – hxxps://popfealt[.]one/live/, hxxps://aytobusesre[.]com/live/, hxxps://miistoria[.]com/live/, and many other .live/.one/.top domains listed as C2 or update URLs.
  • [Payload URLs] direct download/WebDAV URLs used in campaigns – hxxp://162[.]55[.]217[.]30/gRMS/0[.]6395541546258323[.]dat, hxxp://178[.]23[.]190[.]199:80/share/gsm[.]msi, hxxp://95[.]164[.]3[.]171/share/cisa[.]msi.
  • [IP addresses] infrastructure and third-party C2s – 77[.]91[.]73[.]187:443 (DanaBot C2 observed in chain), 74[.]119[.]193[.]200:443 (DanaBot C2), plus raw IPs hosting WebDAV MSIs (e.g., 5[.]252[.]21[.]207).
  • [Filenames] notable file names used by malware or configuration – bp.dat (IcedID bot file referenced for cmd_run_icedid), update_data.dat (local update config read by Latrodectus).
  • [Mutex] runtime indicator – mutex name “runnung” used by samples to detect existing infections and avoid duplicate installs.

Latrodectus technical procedure (concise rewrite):

Distribution: campaigns used multiple email-based vectors — thread-hijacked messages, emails with URLs, zipped JavaScript files, and ISO attachments containing LNKs — plus website contact-form submissions that redirected targets to hosted JavaScript or MSI payloads (Google Firebase, WebDAV, and direct-host URLs). Executable chains observed included JavaScript creating and launching BAT scripts that used curl to retrieve and run DLLs, LNK files executing embedded DLLs (exports like “scab”/”nail”/”fin”), and MSI installers invoked via MSIEXEC from WebDAV shares.

Initialization and persistence: upon execution the loader resolves Windows API functions dynamically, performs sandbox/virtualization checks (process counts, 64-bit host, valid MAC), detects debuggers, checks for a “runnung” mutex, and computes campaign and bot IDs (FNV-1a hashing and host serial-based bot ID generation). It ensures execution from a designated %AppData% path—copying and restarting if necessary—and persists by setting an AutoRun registry key and creating a scheduled task.

Communications and payloads: Latrodectus registers with C2 via HTTP POST where the parameter string is RC4-encrypted with the constant key “12345” and base64-encoded; the C2 responds with similarly encrypted command lists. The loader supports an initial command handler (CLEARURL, URLS, COMMAND, ERROR) and a second-layer handler to download binaries from C2 (e.g., sysinfo.bin under /files/) and execute commands including fetching/executing DLL exports, running EXEs/MSIs, enumerating processes/files, and an option to download bp.dat (IcedID bot) though Proofpoint has not observed automated IcedID deployment yet. Infrastructure analysis shows short-lived, frequently changed C2s with upstream Tier‑2 proxies and overlaps with historic IcedID hosting and operator jumpboxes.

Read more: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice