Two sneaky malware groups that faced setbacks following a joint law enforcement operation known as Endgame have reemerged with fresh phishing tactics.
Sneaky Bee and Black Widow, both belonging to the category of malware loaders, are crafted to snatch personal information and install additional malicious codes on compromised systems.
Known by aliases BlackWidow, IceNova, Lotus, or Unidentified 111, Black Widow, is also seen as a successor to IcedID due to infrastructure similarities between the two malware lineages. It has been part of operations linked to two primary access brokers (IABs) referred to as TA577 (alias Water Curupira) and TA578.
In May 2024, a group of European nations announced the dismantling of more than 100 servers linked to various malware strains including IcedID (and thus, Black Widow), SystemBC, PikaBot, SmokeLoader, Sneaky Bee, and TrickBot.
“Despite not being explicitly mentioned in the initiative, Black Widow was affected, resulting in the takedown of its infrastructure,” commented Bitsight security analyst João Batista back in June 2024.
Cybersecurity company Trustwave, in a recent analysis, depicted Black Widow as a “unique threat” revitalized following Operation Endgame.
“While initially impacted, Black Widow rebounded swiftly. Its sophisticated capacities filled the void left by its incapacitated counterparts, marking its presence as a formidable threat,” as stated by the cybersecurity firm quoted.
Malicious activities typically begin with spam email campaigns, manipulating compromised email threads and posing as trusted entities like Microsoft Azure and Google Cloud to set off the malware distribution mechanism.
The recent infection strategy by Forcepoint and Logpoint follows a similar trajectory, where emails resembling DocuSign contain PDF attachments with malicious links or HTML files embedding JavaScript codes intended to fetch an MSI installer and a PowerShell script correspondingly.
Regardless of the technique used, the attack concludes with the installation of a malevolent DLL file triggering the Black Widow malware.
“Black Widow exploits older infrastructure along with a novel method for deploying malware into financial, automotive, and corporate sectors,” stated Forcepoint researcher Mayur Sewani.
The ongoing Black Widow campaigns coincide with the resurgence of the Sneaky Bee loader, which adopts a ZIP archive file likely downloaded via deceptive emails for distribution.
“Contained within the ZIP file is an LNK file named ‘Report-41952.lnk’ which, when executed, initiates a series of actions to fetch and run the final Sneaky Bee payload into memory, bypassing the need to write the DLL onto disk,” remarked Netskope researcher Leandro Fróes explained.
The LNK file is designed to trigger a PowerShell command to fetch an MSI installer from a remote server. Upon launch, these MSI samples, disguised as NVIDIA and Midjourney installers, function as conduits for executing the Sneaky Bee DLL.
“Sneaky Bee adopts a stealth method to dodge the creation of additional processes and avoids writing the final payload onto disk,” pointed out Fróes.
“It employs the SelfReg table to enforce the execution of the DllRegisterServer export function present in a file stored in the File table. The entry in the SelfReg table acts as a signal to identify which file to execute from the File table, in this case, the final payload DLL.”
About Author
