A new form of malware called "Latrodectus" was likely developed by the makers of banking trojan IcedID and was observed incorporating sandbox evasion techniques to launch impersonation campaigns that lead to victims downloading malicious payloads.Proofpoint researchers said in an April 4 blog post that they anticipated Latrodectus will become increasingly used by threat actors, especially by those who previously delivered IcedID.“Latrodectus’ attempts to incorporate sandbox evasion functionality aligns with the trend overall in the cybercrime threat landscape that malware authors are increasingly trying to bypass defenders and ensure only potential victims receive the payload,” wrote the researchers. “Proofpoint has observed similar attempts from other notable malware used by IABs, including Pikabot and WikiLoader.”While Proofpoint observed attacks launched by TA577 late last year, the researchers said Latrodectus has been almost exclusively distributed by TA578 since mid-January.Proofpoint said this actor typically uses contact forms to initiate a conversation with a target. On Feb. 20, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about alleged copyright infringement. If a link on the impersonated site was visited, the victim was redirected to a landing page personalized to display both the victim’s domain and the name of the impersonated company reporting the copyright infringement. The URL then downloads a malicious JavaScript file from a Google Firebase URL.
Malware, Threat Intelligence
‘Latrodectus’ uses sandbox evasion techniques to launch malicious payloads

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds


