TA577 has used a variety of malware loaders and Trojans overs the years, including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike; TA578 has also used Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike. Since both groups had a strong connection with IcedID it’s not surprising that Proofpoint found links between Latrodectus command-and-control infrastructure and that associated with IcedID in the past.
In May, law enforcement agencies from several European countries, along with those in the US and the UK seized thousands of domains and around a hundred servers used in the command infrastructure of IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, dealing a serious blow to those botnets. Dubbed Operation Endgame, the seizure was part of a larger law enforcement effort that has continued throughout the year.
Latrodectus: A new rising star
Since then, several security firms have reported an increase in Latrodectus activity, including Bitsight in June, Trustwave earlier this month, and now Forcepoint. Trustwave called it a rising star in the malware world and noted that Operation Endgame likely gave it a boost.
