What is Latrodectus?
Latrodectus (S1160) is a sophisticated downloader. It emerged in late 2023 as the spiritual successor to IcedID. The same developers likely created it to replace tools lost to law enforcement. It acts primarily as a loader, meaning it fetches ransomware or stealers. However, it also functions as a standalone backdoor.
Latrodectus malware is known for aggressive sandbox evasion techniques. It surveys the host before execution. It checks for valid MAC addresses. It counts running processes (often requiring 75 or more on Windows 10). If the environment looks fake, it self-terminates. It spreads via email phishing, often using fake copyright notices or malicious JavaScript files.
How to Defend Against Latrodectus?
Defense requires stopping phishing delivery and detecting unique execution behaviors.
- Restrict script execution. Block .js, .vbs, and .hta files. Do not allow them to run directly from emails or the Downloads folder.
- Monitor rundll32.exe. Latrodectus uses this legitimate Windows tool to run malicious DLLs for Living off the Land attacks. Watch it closely.
- Deploy endpoint detection. Flag evasion checks. Watch for processes that rapidly count running programs or scan MAC addresses.
- Use network detection (NDR), like Lumu Defender. Identify C2 traffic. Latrodectus hides traffic using RC4 encryption and Base64 encoding over standard ports.
- Integrate threat intelligence. Use platforms like Lumu Maltiverse. Proactively block domains and IPs used by TA577 and TA578.
