S1160 Latrodectus

Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.³¹²

Item	Value
ID	S1160
Associated Names	IceNova, Unidentified 111
Type	MALWARE
Version	1.0
Created	16 September 2024
Last Modified	30 September 2024
Navigation Layer	View In ATT&CK® Navigator

Associated Software Descriptions

Name	Description
IceNova	¹
Unidentified 111	¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1087	Account Discovery	-
enterprise	T1087.002	Domain Account	Latrodectus can run `C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain` to identify domain administrator accounts.⁵
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	Latrodectus can send registration information to C2 via HTTP `POST`.³⁵²
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder
Latrodectus can set an AutoRun key to establish persistence.³
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	The Latrodectus command handler can use `cmdexe` to run multiple discovery commands.⁵²
enterprise	T1059.007	JavaScript	Latrodectus has used JavaScript files as part its infection chain during malicious spam
email campaigns.⁵²⁴

enterprise	T1132	Data Encoding	-
enterprise	T1132.001	Standard Encoding	Latrodectus has Base64-encoded the message body of a HTTP request sent to C2.³⁵
enterprise	T1005	Data from Local System	Latrodectus can collect data from a compromised host using a stealer module.²
enterprise	T1622	Debugger Evasion
Latrodectus has the ability to check for the presence of debuggers.³
enterprise	T1140	Deobfuscate/Decode Files or Information	Latrodectus has the ability to deobfuscate encrypted strings.³⁵²
enterprise	T1482	Domain Trust Discovery	Latrodectus can run `C:\Windows\System32\cmd.exe /c nltest /domain_trusts` to discover domain trusts.⁵²
enterprise	T1573	Encrypted Channel	-
enterprise	T1573.001	Symmetric Cryptography	Latrodectus can send RC4 encrypted data over C2 channels.³⁵²
enterprise	T1041	Exfiltration Over C2 Channel
Latrodectus can exfiltrate encrypted system information to the C2 server.³²
enterprise	T1083	File and Directory Discovery	Latrodectus can collect desktop filenames.³²⁵
enterprise	T1564	Hide Artifacts	-
enterprise	T1564.004	NTFS File Attributes	Latrodectus can delete itself while its process is still running through the use of an alternate data stream.⁵
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	Latrodectus has the ability to delete itself.⁵²

enterprise	T1105	Ingress Tool Transfer	Latrodectus can download and execute PEs, DLLs, and shellcode from C2.³⁵²
enterprise	T1559	Inter-Process Communication	-
enterprise	T1559.001	Component Object Model	Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.⁵²
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Resource Name or Location	Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.⁵
enterprise	T1104	Multi-Stage Channels
Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure.³
enterprise	T1106	Native API	Latrodectus has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`.⁵²
enterprise	T1135	Network Share Discovery
Latrodectus can run `C:\Windows\System32\cmd.exe /c net view /all` to discover network shares.⁵²
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.001	Binary Padding	Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.⁵
enterprise	T1027.002	Software Packing	The Latrodectus payload has been packed for obfuscation.⁵
enterprise	T1027.007	Dynamic API Resolution
Latrodectus can resolve Windows APIs dynamically by hash.³
enterprise	T1027.013	Encrypted/Encoded File	Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.³⁵²
enterprise	T1069	Permission Groups Discovery	-
enterprise	T1069.002	Domain Groups	Latrodectus can identify domain groups through `cmd.exe /c net group "Domain Admins" /domain`.²⁵
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	Latrodectus has been distributed through reply-chain phishing emails with malicious attachments.¹
enterprise	T1566.002	Spearphishing Link	Latrodectus has been distributed to victims through emails containing malicious links.³¹
enterprise	T1057	Process Discovery
Latrodectus can enumerate running processes including process grandchildren on targeted hosts.³⁵²
enterprise	T1021	Remote Services	-
enterprise	T1021.005	VNC
Latrodectus has routed C2 traffic using Keyhole VNC.⁴
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task
Latrodectus can create scheduled tasks for persistence.³⁵²
enterprise	T1518	Software Discovery	-
enterprise	T1518.001	Security Software Discovery	Latrodectus has the ability to identify installed antivirus products.⁵²

enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.007	Msiexec	Latrodectus has called `msiexec` to install remotely-hosted MSI files.³¹
enterprise	T1218.011	Rundll32	Latrodectus can use rundll32.exe to execute downloaded DLLs.⁵¹
enterprise	T1082	System Information Discovery
Latrodectus can gather operating system information.³⁵⁵²
enterprise	T1016	System Network Configuration Discovery	Latrodectus can discover the IP and MAC address of a targeted host.⁵²
enterprise	T1033	System Owner/User Discovery	Latrodectus can discover the username of an infected host.⁵
enterprise	T1529	System Shutdown/Reboot
Latrodectus has the ability to restart compromised hosts.⁵
enterprise	T1204	User Execution	-
enterprise	T1204.001	Malicious Link	Latrodectus has been executed through malicious links distributed in email campaigns.³¹
enterprise	T1204.002	Malicious File	Latrodectus has lured users into opening malicious email attachments for execution.¹
enterprise	T1497	Virtualization/Sandbox Evasion	-
enterprise	T1497.001	System Checks	Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.³⁵²
enterprise	T1102	Web Service	Latrodectus has used Google Firebase to download malicious installation scripts.⁴
enterprise	T1047	Windows Management Instrumentation	Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.⁵²

Groups That Use This Software

ID	Name	References
G1037	TA577	³
G1038	TA578	³²

References

Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024. ↩↩↩↩↩↩↩↩↩
Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024. ↩↩↩
Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩