Malicious Latrodectus Downloader Picks Up Where QBot Left Off

At first, analysts thought the downloader was a variant of well-known malware IcedID — but it turns out Latrodectus is something new altogether.

The malware is being used by initial access brokers (IABs) in email threat campaigns, and researchers behind the discovery at Proofpoint and Team Cymru S2 Threat Research Team predict Latrodectus will continue gaining momentum among threat actors. That's due in large part to its ability to evade sandbox detection, the researchers said.

"After initialization the malware will check its environment to confirm that it is not running in a sandbox by confirming the amount of running processes on the device, then checking to make sure it is running on a 64-bit host, and lastly the malware looks to see if the host has a valid MAC address," according to a statement from Adam Neel, threat detection engineer at Critical Start. "These sandbox evasion techniques can slow down researchers and defenders from analyzing samples of Latrodectus."

First discovered in late 2023, there's been a distinct uptick in threat activity using the new loader throughout February and March, the report warned.

Although it's not a variant of IcedID, the researchers found Latrodectus — named after a string of code found during analysis — does have similar characteristics, leading the team to conclude both were created by the same developers.

The first group using Latrodectus in November 2023 was TA577, and it has been relying on it almost exclusively since mid-January 2024, the report said. Prior to picking up Latrodectus, the adversary group was using IcedID, it added.

In February, researchers discovered another group, TA578, was distributing Latrodectus in a campaign that sent threats of legal action for copyright infringement as phishing lures.

Is Latrodectus Downloader the New QBot?

The new Latrodectus downloader is positioned to fill the void left by the takedown of QBot malware (also known as Qakbot) in the summer of 2023, according to a statement by Ken Dunham, cyber threat director at Qualys Threat Research Unit.

"TA577 and other actors are affiliated with Qbot and now, a new malware campaign, Latrodectus," Dunham explained. "It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023."

Awareness of Latrodectus actively being used in email campaigns, along with vigilance, will help enterprises defend against the upgraded downloader, experts advise. The new Latrodectus report provides tactics, techniques, and procedures to help.

"It is possible that this is not the last form of Latrodectus and it could continue to grow and differentiate itself from IcedID more in the future," Neel added. "Latrodectus is currently being distributed via email campaigns, so the need for phishing awareness continues to be incredibly important."