Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.
Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.
Tracked under the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, is also considered to be a successor to IcedID owing to infrastructure overlaps between the two malware families. It has been used in campaigns associated with two initial access brokers (IABs) known as TA577 (aka Water Curupira) and TA578.
In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.
“Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure went offline,” Bitsight security researcher João Batista noted back in June 2024.
Cybersecurity firm Trustwave, in an analysis published earlier this month, described Latrodectus as a “distinct threat” that has received a boost following Operation Endgame.
“While initially impacted, Latrodectus quickly rebounded. Its advanced capabilities filled the void left by its disabled counterparts, establishing itself as a formidable threat,” the cybersecurity company said.
Attack chains typically leverage malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Google Cloud to activate the malware deployment process.
The newly observed infection sequence by Forcepoint and Logpoint takes the same route, with the DocuSign-themed email messages bearing PDF attachments containing a malicious link or HTML files with embedded JavaScript code that are engineered to download an MSI installer and a PowerShell script, respectively.
Regardless of the method employed, the attack culminates in the deployment of a malicious DLL file that, in turn, launches the Latrodectus malware.
“Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive, and business sectors,” Forcepoint researcher Mayur Sewani said.
The ongoing Latrodectus campaigns dovetail with the return of the Bumblebee loader, which employs a ZIP archive file likely downloaded via phishing emails as a delivery mechanism.
“The ZIP file contains an LNK file named ‘Report-41952.lnk’ that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk,” Netskope researcher Leandro Fróes said.
The LNK file is intended to execute a PowerShell command to download an MSI installer from a remote server. Once launched, the MSI samples, which masquerade as installers from NVIDIA and Midjourney, serve as a channel to launch the Bumblebee DLL.
“Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk,” Fróes pointed out.
“It does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a file in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table and in our case it was the final payload DLL.”