Two malware households that suffered setbacks within the aftermath of a coordinated legislation enforcement operation known as Endgame have resurfaced as a part of new phishing campaigns.
Bumblebee and Latrodectus, that are each malware loaders, are designed to steal private knowledge, together with downloading and executing extra payloads onto compromised hosts.
Tracked below the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, can also be thought of to be a successor to IcedID owing to infrastructure overlaps between the 2 malware households. It has been utilized in campaigns related to two preliminary entry brokers (IABs) often called TA577 (aka Water Curupira) and TA578.
In Might 2024, a coalition of European international locations mentioned it dismantled over 100 servers linked to a number of malware strains corresponding to IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.
“Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure went offline,” Bitsight safety researcher João Batista famous again in June 2024.
Cybersecurity agency Trustwave, in an evaluation printed earlier this month, described Latrodectus as a “distinct threat” that has obtained a lift following Operation Endgame.
“While initially impacted, Latrodectus quickly rebounded. Its advanced capabilities filled the void left by its disabled counterparts, establishing itself as a formidable threat,” the cybersecurity firm mentioned.
Assault chains usually leverage malspam campaigns, exploiting hijacked e-mail threads and impersonating reliable entities like Microsoft Azure and Google Cloud to activate the malware deployment course of.
The newly noticed an infection sequence by Forcepoint and Logpoint takes the identical route, with the DocuSign-themed e-mail messages bearing PDF attachments containing a malicious hyperlink or HTML recordsdata with embedded JavaScript code which might be engineered to obtain an MSI installer and a PowerShell script, respectively.
Whatever the methodology employed, the assault culminates within the deployment of a malicious DLL file that, in flip, launches the Latrodectus malware.
“Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive, and business sectors,” Forcepoint researcher Mayur Sewani mentioned.
The continuing Latrodectus campaigns dovetail with the return of the Bumblebee loader, which employs a ZIP archive file doubtless downloaded by way of phishing emails as a supply mechanism.
“The ZIP file contains an LNK file named ‘Report-41952.lnk’ that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk,” Netskope researcher Leandro Fróes mentioned.
The LNK file is meant to execute a PowerShell command to obtain an MSI installer from a distant server. As soon as launched, the MSI samples, which masquerade as installers from NVIDIA and Midjourney, function a channel to launch the Bumblebee DLL.
“Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk,” Fróes identified.
“It does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a file in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table and in our case it was the final payload DLL.”
