The personal data-stealing malware named Bumblebee and Latrodectus have again become active and are conducting phishing campaigns. The two malware families share similar infrastructures and suffered damage when a coalition of European countries made a crackdown on their servers, naming it Operation Endgame back in May 2024.
Bumblebee and Latrodectus both aim to steal personal information along with downloading and installing additional payloads on the victim’s machine. The resurfacing of both malware has alerted the institutions. Security researchers believe Latrodectus to be a “distinct threat” that has become even more sophisticated after Operation Endgame targeted it and brought its systems down. The malware has improvised itself by filling up the gaps due to which it got impacted earlier and that makes it even more lethal.
Attack chains typically leverage malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Google Cloud to activate the malware deployment process.
Researchers at Forcepoint and Logpoint observed the same modus operandi in the new phishing attempts, with the DocuSign-themed emails with PDF attachments containing a malicious link or HTML files with embedded JavaScript code that is designed to download an MSI installer and a PowerShell script, respectively. The attack deploys a malicious DLL file that, in turn, launches the Latrodectus malware.
The ongoing Latrodectus campaigns coincide with the resurgence of the Bumblebee loader, meaning the malware downloads a ZIP archive file likely delivered via phishing emails. The downloaded ZIP file contains an LNK file named ‘Report-41952.lnk’ that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk. The LNK file executes a PowerShell command to download an MSI installer from a remote server. Once launched, the MSI samples, which masquerade as installers from NVIDIA and Midjourney, serve as a channel to launch the Bumblebee DLL.
Observing the difference from the previously known attack method, which relied on legitimate binaries such as rundll32.exe and regsvr32.exe for loading malicious DLL files, the new Bumblebee infection chain employs a sneakier technique, utilizing the SelfReg table for DLL execution.
