SYMBOLCOMMON_NAMEaka. SYNONYMS
win.latrodectus (Back to overview)

Latrodectus

aka: BLACKWIDOW, IceNova, Latrodectus, Lotus
VTCollection    

First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.

References
2024-08-30NetskopeLeandro Froes
Latrodectus Rapid Evolution Continues With Latest New Payload Features
Latrodectus
2024-08-29NetskopeLeandro Froes
Latrodectus Rapid Evolution Continues With Latest New Payload Features
Latrodectus
2024-08-29Hunt.ioHunt.io
Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Latrodectus
2024-08-26NetskopeLeandro Froes
Static Unpacker for Latrodectus
Latrodectus
2024-08-08cybleCyble Research Labs
Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site
ACR Stealer Latrodectus
2024-08-01KrakzPierre Le Bourhis
Latrodectus dropped by BR4
Brute Ratel C4 Latrodectus
2024-07-24Rapid7Rapid7
Malware Campaign Lures Users With Fake W2 Form
Latrodectus
2024-06-24RevEng.AIRevEng.AI
Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame
Brute Ratel C4 Latrodectus
2024-06-17BitSightJoão Batista
Latrodectus are you coming back
Latrodectus
2024-06-13Medium (@zyadlzyatsoc)Zyad Elzyat
Inside LATRODECTUS: A Dive into Malware Tactics and Mitigation
Latrodectus
2024-05-21Twitter (@embee_research)Embee_research
Tweets on decoding a Latrodectus loader
Latrodectus
2024-05-16ElasticDaniel Stepanic, Samir Bousseaden
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
IcedID Latrodectus
2024-05-16ANY.RUNANY.RUN
Malware trend: Latrodectus
Latrodectus
2024-05-090x0d4y0x0d4y
[Case Study: Latrodectus] Analyzing and Implementing String Decryption Algorithms
Latrodectus
2024-05-05Github (VenzoV)VenzoV
Latrodectus "littlehw"
Latrodectus
2024-04-300x0d4y0x0d4y
Latrodectus [IceNova] – Technical Analysis of the… New IcedID… Its Continuation… Or its Replacement?
Latrodectus
2024-04-24SecuronixDen Iyzvyk, Oleg Kolesnikov, Tim Peck
Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
Cobalt Strike Latrodectus
2024-04-04ProofpointProofpoint Threat Research Team, Team Cymru, TEAM CYMRU S2 THREAT RESEARCH
Latrodectus: This Spider Bytes Like Ice
IcedID Latrodectus
2024-04-01Twitter (@embee_research)Embee_research
Passive DNS For Phishing Link Analysis - Identifying 36 Latrodectus Domains With Historical Records and 302 Redirects
Latrodectus
2024-03-25embeeresearchEmbee_research
Latrodectus Deobfuscation - Removal of Junk Comments and Self-Referencing Code
Latrodectus
2024-03-07Malware Traffic AnalysisBrad Duncan
2024-03-07 (THURSDAY): LATRODECTUS INFECTION LEADS TO LUMMA STEALER
Latrodectus Lumma Stealer
2023-12-23IBMIBM
IceNova Malware Profile
Latrodectus
2023-12-08Twitter (@Myrtus0x0)Myrtus 0x0
Tweet naming the family
Latrodectus
2023-12-07eSentireeSentire
DanaBot's Latest Move: Deploying Latrodectus
DanaBot HijackLoader Latrodectus
2023-10-20Medium walmartglobaltechJason Reaves, Joshua Platt
IcedID gets Loaded
Latrodectus
Yara Rules
[TLP:WHITE] win_latrodectus_auto (20230808 | Detects win.latrodectus.)
rule win_latrodectus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.latrodectus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4c2428 0fbe09 3bc1 7512 }
            // n = 4, score = 300
            //   488b4c2428           | mov                 dword ptr [esp + 0x138], 0x16505e0
            //   0fbe09               | dec                 eax
            //   3bc1                 | lea                 eax, [0x75f6]
            //   7512                 | dec                 eax

        $sequence_1 = { c744242002000000 e9???????? 837c243406 7511 837c243801 750a }
            // n = 6, score = 300
            //   c744242002000000     | mov                 eax, dword ptr [esp + 0x40]
            //   e9????????           |                     
            //   837c243406           | add                 eax, edx
            //   7511                 | and                 eax, 0xff
            //   837c243801           | sub                 eax, edx
            //   750a                 | dec                 eax

        $sequence_2 = { 8b00 488b4c2430 488b09 0fbe0401 48634c2404 488b542428 0fbe0c0a }
            // n = 7, score = 300
            //   8b00                 | dec                 eax
            //   488b4c2430           | mov                 dword ptr [esp + 0x60], eax
            //   488b09               | imul                eax, eax, 0x3e8
            //   0fbe0401             | mov                 dword ptr [esp + 0xdc], eax
            //   48634c2404           | je                  0x1992
            //   488b542428           | xor                 edx, edx
            //   0fbe0c0a             | imul                eax, eax, 0x3e8

        $sequence_3 = { eb43 41b901000000 448b442424 488b542428 488b4c2448 e8???????? }
            // n = 6, score = 300
            //   eb43                 | dec                 eax
            //   41b901000000         | lea                 edx, [0xa84d]
            //   448b442424           | dec                 eax
            //   488b542428           | cmp                 dword ptr [esp + 0x48], 0
            //   488b4c2448           | je                  0x651
            //   e8????????           |                     

        $sequence_4 = { eb1f c744242000000000 4533c9 4533c0 }
            // n = 4, score = 300
            //   eb1f                 | dec                 eax
            //   c744242000000000     | lea                 eax, [esp + 0x150]
            //   4533c9               | dec                 eax
            //   4533c0               | mov                 dword ptr [esp + 0x120], eax

        $sequence_5 = { 488b4c2448 ff15???????? 89442444 837c244400 7502 eb11 }
            // n = 6, score = 300
            //   488b4c2448           | dec                 eax
            //   ff15????????         |                     
            //   89442444             | mov                 dword ptr [esp + 8], ecx
            //   837c244400           | dec                 eax
            //   7502                 | sub                 esp, 0x1c8
            //   eb11                 | cmp                 dword ptr [esp + 0x1d8], 0x12

        $sequence_6 = { 488d8c0c60020000 ba02000000 486bd200 4803ca 448bc0 488b542420 e8???????? }
            // n = 7, score = 300
            //   488d8c0c60020000     | lea                 ecx, [0xa4d8]
            //   ba02000000           | dec                 eax
            //   486bd200             | test                eax, eax
            //   4803ca               | je                  0x1519
            //   448bc0               | dec                 eax
            //   488b542420           | lea                 eax, [esp + 0x80]
            //   e8????????           |                     

        $sequence_7 = { 66c1ca08 0fb7d2 4c8b8424a0000000 450fb74006 6641c1c808 450fb7c0 4c8b8c24a0000000 }
            // n = 7, score = 300
            //   66c1ca08             | dec                 eax
            //   0fb7d2               | mov                 dword ptr [esp + 0x110], eax
            //   4c8b8424a0000000     | dec                 eax
            //   450fb74006           | mov                 eax, dword ptr [esp + 0x108]
            //   6641c1c808           | dec                 eax
            //   450fb7c0             | mov                 dword ptr [esp + 0x60], eax
            //   4c8b8c24a0000000     | mov                 dword ptr [esp + 0x58], 2

        $sequence_8 = { e8???????? b910000000 e8???????? 4889442448 488b442448 488b4c2450 488908 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   b910000000           | add                 ecx, edx
            //   e8????????           |                     
            //   4889442448           | mov                 ecx, 0x96
            //   488b442448           | div                 ecx
            //   488b4c2450           | mov                 eax, edx
            //   488908               | add                 eax, 0x1c2

        $sequence_9 = { 4889542410 48894c2408 4883ec78 c744243000000000 c744243400000000 488b942488000000 488d4c2448 }
            // n = 7, score = 300
            //   4889542410           | dec                 eax
            //   48894c2408           | mov                 dword ptr [esp + 0x298], eax
            //   4883ec78             | mov                 dword ptr [esp + 0x2a0], 0xcce95612
            //   c744243000000000     | dec                 eax
            //   c744243400000000     | lea                 eax, [0x6f67]
            //   488b942488000000     | dec                 eax
            //   488d4c2448           | mov                 dword ptr [esp + 0x2a8], eax

    condition:
        7 of them and filesize < 148480
}
Download all Yara Rules