New Latrodectus loader steps in for Qbot

2024-04-09 10:47

Newloader malware called Latrodectus is being leveraged by initial access brokers and it looks like it might have been written by the same developers who created the IcedID loader.

TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot," Proofpoint and Team Cymru researchers noted.

Since the beginning of this year, Latrodectus has been used almost exclusively by another IAB identified as TA578.

Links to IcedID. "Researching the techniques of string hashing of campaign IDs observed in Latrodectus helped researchers identify new patterns in previous IcedID campaigns," Proofpoint says.

Several things point to IcedID creators being involved in the operation of Latrodectus, including the use of backend infrastructure associated with IcedID and the use of the same specific jumpboxes.

As they researched the string hashing techniques used to obfuscate campaign IDs, the researchers also used them to brute-force previously observed IcedID campaign IDs.

News URL

https://www.helpnetsecurity.com/2024/04/09/latrodectus-initial-access/