October 22, 2024 at 06:18AM
Two malware families, Bumblebee and Latrodectus, have resurfaced in new phishing campaigns following a law enforcement operation called Endgame. Both are malware loaders aimed at stealing personal data. The campaigns utilize malicious email attachments and links to deploy these threats, targeting sectors like finance, automotive, and business.
### Meeting Takeaways – Malware / Threat Intelligence (Oct 22, 2024)
1. **Resurfacing of Malware Families**:
– Two malware families, **Bumblebee** and **Latrodectus**, have reappeared following a law enforcement operation named **Operation Endgame**, which initially disrupted them.
2. **Malware Functionality**:
– Both malware types are **loaders** that steal personal data and facilitate the download and execution of additional malicious payloads on targeted systems.
3. **Latrodectus Details**:
– Also known by names such as **BlackWidow**, **IceNova**, and **Lotus**, **Latrodectus** is viewed as an extension of **IcedID** due to shared infrastructure.
– It is associated with two initial access brokers (IABs): **TA577** (Water Curupira) and **TA578**.
4. **Impact of Operation Endgame**:
– In May 2024, over **100 servers** related to various malware strains were dismantled by a coalition of European countries.
– Although not explicitly mentioned in the operation, **Latrodectus** was affected and saw its infrastructure go offline temporarily.
5. **Current Threat Level**:
– Research from Trustwave describes **Latrodectus** as a **distinct threat** that quickly regained strength and filled the operational gaps left by disabled malware families.
6. **Attack Methods**:
– Cybercriminals are utilizing **malspam campaigns**, often impersonating legitimate companies (e.g., Microsoft Azure, Google Cloud) to distribute malware.
– New infection vectors include emails themed around **DocuSign**, with malicious PDF attachments leading to malware deployment.
7. **Technical Details of Malware Deployment**:
– Infection sequences lead to the execution of a **malicious DLL file** that activates the **Latrodectus** malware.
– **Bumblebee** also reemerges, utilizing a **ZIP archive** delivery mechanism through phishing emails.
– The ZIP file contains a **.LNK** file that, upon execution, initiates the download and execution of the final **Bumblebee** payload.
8. **Stealth Methods**:
– **Bumblebee** employs a technique to avoid writing final payloads to disk by executing **PowerShell** commands for further downloads and leveraging the **SelfReg table** to trigger actions within its malware structure.
9. **Research Insights**:
– Security researchers highlighted innovative methods and older infrastructure being leveraged by both malware families as they target sectors such as finance, automotive, and business.
10. **Follow-Up**:
– For more information and updates, follow the organization on **Twitter** and **LinkedIn**.
These takeaways summarize the key points from the meeting and underscore the significance of increasing vigilance in cybersecurity given the resurgence of these malware families.