Actu
Latrodectus malware resurfaces following Operation Endgame
October 2024 by Swachchhanda Shrawan Poudel, Security Research Analyst at Logpoint
"Latrodectus disappeared back in May when Europol dismantled over 100 servers under Operation Endgame and it was assumed to be a casuality but it’s now back with a vengeance. It seems the operation may have impacted the infrastructure the malware loader relied upon but it is now being distributed through reply-chain phishing emails which involves threat actors leveraging stolen email accounts to hijack an email thread and send malicious files.
During our analysis, we discovered that many samples available on MalwareBazaar were masquerading as legitimate third-party DLLs, suggesting that they may also be distributed through malvertising and SEO poisoning. Latrodectus uses Living off the Land (LotL) techniques, so it can evade detection and acts as a backdoor, facilitating remote code execution (RCE). It can also serve as a loader for other malware such as IcedID, Lumma Stealers, and Danabot.
The re-emergence of Latrodectus indicates that organisations need to remain vigilant to malware strains that appear to be obsolete. A great deal of time and effort goes into developing these malware strains and they are an essential component for IABs when offering campaign toolkits. It therefore pays to resurrect them, making it imperative these remain on the radar of threat hunters."
