Two notorious malware families, Bumblebee and Latrodectus have reemerged in phishing campaigns following a major law enforcement operation called Endgame in May 2024 that targeted malware droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.
Although Europol didn’t mention Latrodectus among impacted malware families, the malware was also affected as it shares infrastructure overlaps with IcedID.
According to past reports, Bumblebee has been used by at least three cybercriminal groups associated with ransomware actors. Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol.
According to reports from Netskope, Forcepoint, and Logpoint, the new Bumblebee campaign involves malicious ZIP files delivered via a phishing email.
Once extracted and executed, the LNK file initiates a series of events that eventually load the Bumblebee malware directly into the system's memory, bypassing the need for the malware to be written to disk.
Bumblebee's use of LNK files in these campaigns is not new, but it remains a favorite method of delivery. Once executed, Bumblebee functions as a loader, bringing additional payloads onto the compromised host, which can vary depending on the objectives of the attackers.
Latrodectus, also known as BlackWidow, IceNova, and Lotus, is evolving as a successor to IcedID. Initially discovered by researchers at Walmart in October 2023, it is believed to have been developed by Lunar Spider, the same group behind IcedID.
In recent campaigns, Latrodectus has been used by initial access brokers (IABs) such as TA577 (aka Water Curupira) and TA578, both of which specialize in gaining initial footholds in victims' networks to sell access to other cybercriminal groups. The malware's sophisticated architecture allows it to load additional malicious components and other malware families.
In typical Latrodectus phishing attempts, the campaign begins with a compromised email that masquerades as a legitimate DocuSign notification. The email tricks users into clicking a link to access a purported document, redirecting them to a malicious URL that triggers the download of Latrodectus onto their system. The malware is designed for stealth, ensuring persistence in infected systems and evading detection by employing prevalent attachment formats like HTML and PDF.
