eCrime Exploiting Sandbox Evasion Methods, ‘Latrodectus’ Deploys Malicious Payloads

‘Latrodectus’ uses sandbox evasion techniques to launch malicious payloads

New Malware ‘Latrodectus’ Linked to IcedID Group Utilizes Sandbox Evasion Tactics for Malicious Payload Deployment

In a recent blog post dated April 4, researchers from Proofpoint revealed the emergence of a new form of malware dubbed ‘Latrodectus,’ likely originating from the creators of the banking trojan IcedID. This malware employs sophisticated sandbox evasion techniques to initiate impersonation campaigns, leading unsuspecting victims to download malicious payloads.

CyberCrime

According to Proofpoint, the incorporation of sandbox evasion functionality by Latrodectus mirrors a broader trend in the cybercrime landscape, where malware authors strive to evade detection and ensure that only potential victims receive the payload. Similar attempts have been observed with other notorious malware like Pikabot and WikiLoader, all aimed at bypassing defenders.

eCrime Exploiting Sandbox Evasion Methods, ‘Latrodectus’ Deploys Malicious Payloads

While attacks associated with TA577 were witnessed late last year, Latrodectus has predominantly been distributed by TA578 since mid-January, as noted by Proofpoint researchers. TA578 typically initiates conversations with targets via contact forms, with impersonation tactics deployed to send legal threats regarding alleged copyright infringement.

Upon clicking a link on the impersonated site, victims are redirected to a personalized landing page, displaying both the victim’s domain and the name of the impersonated company reporting the infringement. Subsequently, a malicious JavaScript file is downloaded from a Google Firebase URL.

Ken Dunham, Cyber Threat Director at the Qualys Threat Research Unit, suggested that Latrodectus emerged in response to the crackdown on Qbot infrastructure in late 2023. He likened battling eCrime to moving a couch infested with roaches, where perpetrators simply relocate to continue operations. Dunham highlighted Latrodectus’s potent components, capable of defeating sandboxes and utilizing RC4 encrypted command-and-control communications.

Adam Neel, Threat Detection Engineer at Critical Start, emphasized the similarities between Latrodectus and IcedID, including communication methods and shared commands. Neel pointed out Latrodectus’s utilization of sandbox evasion tactics previously unseen in IcedID loaders. These techniques involve environment checks to confirm non-sandbox environments, potentially slowing down researchers and defenders.

While Latrodectus shares similarities with IcedID, Neel cautioned that it continues to evolve, potentially differentiating itself further in the future. Researchers remain vigilant, anticipating further developments in Latrodectus’s capabilities and its divergence from IcedID