A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result

Vulnerability / Threat Intelligence

A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result in remote code execution.

"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft said in an alert for the flaw.

Patches for the security defect were released by Redmond as part of its Patch Tuesday updates for July 2024. The exploitation risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw are available in the public domain.

"The PoC script \[...\] automates authentication to a target SharePoint site using NTLM, creates a specific folder and file, and sends a crafted XML payload to trigger the vulnerability in the SharePoint client API," SOCRadar said.

There are currently no reports about how CVE-2024-38094 is exploited in the wild. In light of in-the-wild abuse, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by November 12, 2024, to secure their networks.

The development comes as Google's Threat Analysis Group (TAG) revealed that a now-patched zero-day vulnerability in Samsung's mobile processors has been weaponized as part of an exploit chain to achieve arbitrary code execution.

Assigned the CVE identifier CVE-2024-44068 (CVSS score of 8.1), it has been addressed as of October 7, 2024, with the South Korean electronics giant characterizing it as a "use-after-free in the mobile processor \[that\] leads to privilege escalation."

While Samsung's terse advisory makes no mention of it having been exploited in the wild, Google TAG researchers Xingyu Jin and Clement Lecigne said a zero-day exploit for the shortcoming is used as part of a privilege escalation chain.

"The actor is able to execute arbitrary code in a privileged cameraserver process," the researchers said. "The exploit also renamed the process name itself to 'vendor.samsung.hardware.camera.provider@3.0-service,' probably for anti-forensic purposes."

The disclosures also follow a new proposal from CISA that puts forth a series of security requirements in order to prevent bulk access to U.S. sensitive personal data or government-related data by countries of concern and covered persons.

In line with the requirements, organizations are expected to remediate known exploited vulnerabilities within 14 calendar days, critical vulnerabilities with no exploit within 15 calendar days, and high-severity vulnerabilities with no exploits within 30 calendar days.

"To ensure and validate that a covered system denies covered persons access to covered data, it is necessary to maintain audit logs of such accesses as well as organizational processes to utilize those logs," the agency said.

"Similarly, it is necessary for an organization to develop identity management processes and systems to establish an understanding of what persons may have access to different data sets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted…

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted cloud keys. This security flaw could lead to unauthorized access, data breaches, and service disruptions.

Research conducted by cybersecurity experts at Symantec has revealed that popular apps on both Android and iOS platforms contain hardcoded, unencrypted cloud service credentials, putting millions of users’ sensitive data and backend services at risk of unauthorized access and potential data breaches.

The issue comes from developers embedding access and secret keys directly in the app’s code instead of using secure storage methods. This makes it easy for attackers to access sensitive data, steal user information, or disrupt services.

Among the affected Android apps, Pic Stitch: Collage Maker, with over 5 million downloads, and Meru Cabs, Sulekha Business, and ReSound Tinnitus Relief, each with hundreds of thousands of downloads, were found to contain hardcoded AWS and Azure credentials, respectively. These credentials grant access to critical cloud storage and other backend services.

On the iOS side, popular apps like Crumbl (over 3.9 million ratings), Eureka: Earn Money for Surveys (402.1K ratings), and Videoshop – Video Editor (357.9K ratings) were also found to have hardcoded AWS credentials, including access keys and even WebSocket Secure (WSS) endpoints, further simplifying potential attacks.

Eureka IDA code with hardcoded AWS credentials (Via Symantec)

****Full list of impacted apps on iOS and Android****

*   **Crumbl (over 3.9 million ratings)**
*   **Meru Cabs (over 5 million downloads)**
*   **Sulekha Business (over 500,000 downloads)**
*   **Videoshop – Video Editor (over 357,000 ratings)**
*   **ReSound Tinnitus Relief (over 500,000 downloads)**
*   **Pic Stitch: Collage Maker (over 5 million downloads)**
*   **Eureka: Earn Money for Surveys (over 402,000 ratings)**

This issue, found on both Android and iOS, is a serious concern. It could lead to anything from individual data breaches to major service disruptions. Symantec’s findings show the urgent need for developers to follow security best practices.

To mitigate these risks, developers are advised to follow best practices for managing sensitive information within their applications. These include using environment variables, implementing secrets management, encrypting sensitive data, conducting regular code reviews and audits, and automating security scanning.

“This repeated pattern of insecure credential management across multiple apps underscores the critical need for developers to prioritize security in the mobile app development lifecycle,” **said** a Symantec spokesperson.

For users, Symantec advises installing **reputable security software**, downloading apps only from trusted sources, keeping software updated, carefully reviewing app permissions, and regularly backing up important data. These precautions can help mitigate the risks associated with insecure apps while developers work to address these critical vulnerabilities.

1.  Google reveals spyware attack on Android, iOS, and Chrome
2.  Study: Android sends more data to Google than iOS to Apple
3.  Bluetooth Falw Enables Keystroke Injection on Android and iOS
4.  WiFi Flaws Allow Network Traffic Interception on iOS and Android
5.  Instagram iOS, Android app flaw allowed account access to hackers

Millions of iOS and Android Users at Risk as Popular Apps Expose Cloud Keys

Not long ago, the ability to remotely track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a powerful surveillance tool that should only be in the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.

The Global Surveillance Free-for-All in Mobile Ad Data

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

If exploited, bad actors can execute arbitrary code while evading detection thanks to a renamed process.

Source: B Christopher via Alamy Stock Photo

A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in Samsung's mobile processors and is being used in an exploit chain for arbitrary code execution.

The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.

A National Institute of Standards and Technology (NIST) advisory on the bug describes it as "an issue \[that\] was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920." A use-after-free bug in the mobile processor ultimately leads to privilege escalation, the agency added.

Google researcher Xingyu Jin was credited with reporting the flaw earlier this year, and Google TAG researcher Clement Lecigne warned that an exploit exists in the wild.

"This zero-day exploit is part of an EoP chain," Jin and Lecigne noted. "The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to '\[email protected\]', probably for anti-forensic purposes."

**About the Author**

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

PRESS RELEASE

CHARLOTTE, N.C. and SUNNYVALE, Calif., Oct. 21, 2024 /PRNewswire/ -- Honeywell (NASDAQ: HON) and Google Cloud announced a unique collaboration connecting artificial intelligence (AI) agents with assets, people and processes to accelerate safer, autonomous operations for the industrial sector.

This partnership will bring together the multimodality and natural language capabilities of Gemini on Vertex AI – Google Cloud's AI platform – and the massive data set on Honeywell Forge, a leading Internet of Things (IoT) platform for industrials. This will unleash easy-to-understand, enterprise-wide insights across a multitude of use cases. Honeywell's customers across the industrial sector will benefit from opportunities to reduce maintenance costs, increase operational productivity and upskill employees. The first solutions built with Google Cloud AI will be available to Honeywell's customers in 2025.

"The path to autonomy requires assets working harder, people working smarter and processes working more efficiently," said Vimal Kapur, Chairman and CEO of Honeywell. "By combining Google Cloud's AI technology with our deep domain expertise--including valuable data on our Honeywell Forge platform--customers will receive unparalleled, actionable insights bridging the physical and digital worlds to accelerate autonomous operations, a key driver of Honeywell's growth."

"Our partnership with Honeywell represents a significant step forward in bringing the transformative power of AI to industrial operations," said Thomas Kurian, CEO of Google Cloud. "With Gemini on Vertex AI, combined with Honeywell's industrial data and expertise, we're creating new opportunities to optimize processes, empower workforces and drive meaningful business outcomes for industrial organizations worldwide."

With the mass retirement of workers from the baby boomer generation, the industrial sector faces both labor and skills shortages, and AI can be part of the solution – as a revenue generator, not job eliminator. More than two-thirds (82%) of Industrial AI leaders believe their companies are early adopters of AI, but only 17% have fully launched their initial AI plans, according to Honeywell's 2024 Industrial AI Insights report. This partnership will provide AI agents that augment the existing operations and workforce to help drive AI adoption and enable companies across the sector to benefit from expanding automation.

Honeywell and Google Cloud will co-innovate solutions around:

Purpose-Built, Industrial AI Agents   
Built on Google Cloud's Vertex AI Search and tailored to engineers' specific needs, a new AI-powered agent will help automate tasks and reduce project design cycles, enabling users to focus on driving innovation and delivering exceptional customer experiences.

Additional agents will utilize Google's large language models (LLMs) to help technicians to more quickly resolve maintenance issues (e.g., "How did a unit perform last night?" "How do I replace the input/output module?" or "Why is my system making this sound?"). By leveraging Gemini's multimodality capabilities, users will be able to process various data types such as images, videos, text and sensor readings, which will help its engineers get the answers they need quickly – going beyond simple chat and predictions.

Enhanced Cybersecurity  
Google Threat Intelligence – featuring frontline insight from Mandiant – will be integrated into current Honeywell cybersecurity products, including Global Analysis, Research and Defense (GARD) Threat Intelligence and Secure Media Exchange (SMX), to help enhance threat detection and protect global infrastructure for industrial customers. 

On-the-Edge Device Advances   
Looking ahead, Honeywell will explore using Google's Gemini Nano model to enhance Honeywell edge AI devices' intelligence multiple use cases across verticals, ranging from scanning performance to voice-based guided workflow, maintenance, operational and alarm assist without the need to connect to the internet and cloud. This is the beginning of a new wave of more intelligent devices and solutions, which will be the subject of future Honeywell announcements.

By leveraging AI to enable growth and productivity, the integration of Google Cloud technology also further supports Honeywell's alignment of its portfolio to three compelling megatrends, including automation.

About Honeywell  
Honeywell is an integrated operating company serving a broad range of industries and geographies around the world. Our business is aligned with three powerful megatrends – automation, the future of aviation and energy transition – underpinned by our Honeywell Accelerator operating system and Honeywell Forge IoT platform. As a trusted partner, we help organizations solve the world's toughest, most complex challenges, providing actionable solutions and innovations through our Aerospace Technologies, Industrial Automation, Building Automation and Energy and Sustainability Solutions business segments that help make the world smarter and safer as well as more secure and sustainable. For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

About Google Cloud  
Google Cloud is the new way to the cloud, providing AI, infrastructure, developer, data, security, and collaboration tools built for today and tomorrow. Google Cloud offers a powerful, fully integrated, and optimized AI stack with its own planet-scale infrastructure, custom-built chips, generative AI models, and development platform, as well as AI-powered applications, to help organizations transform. Customers in more than 200 countries and territories turn to Google Cloud as their trusted technology partner.

Honeywell and Google Cloud to Accelerate Auto Operations With AI Agents for the Industrial Sector

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making…

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making phishing campaigns harder to stop. Tools like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot are raising concerns among cybersecurity experts.

Cybercriminals are constantly innovating, and their latest weapon is a new breed of services called the anti-bot services, reveals the latest research from SlashNext. These services are advertised on the Dark Web to help phishers bypass Google’s “_Red Page_” warnings.

****The Power of Google’s Red Page****

Phishing attacks have become more sophisticated with the rise of PhaaS (phishing-as-a-service) platforms. These platforms make it easy for even inexperienced criminals to launch large-scale phishing campaigns. However, a major hurdle for phishers has been detection by security services like Google’s Safe Browsing.  

Google Red Page is a feature of Google Safe Browsing that warns users of potential dangers, such as phishing attempts. The page, displayed in red, warns users that a site they are navigating may be deceptive and advises them to avoid it. This can significantly limit the success of phishing attacks, as these campaigns rely on high click-through rates, which are significantly lowered when Google’s detection flags a phishing page and adds it to a blocklist.

****Anti-Bot Services: A New Challenge for Security Teams****

New anti-bot services aim to circumvent Google’s Red Page warnings. These services, including Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, help phishers evade detection. Here is how these work:  

*   **Filtering Out Security Crawlers:** Anti-bot services analyze user-agent strings and IP addresses to identify and block security bots that scan for malicious websites.   
*   **Cloaking Techniques:** Some anti-bot services use techniques like JavaScript obfuscation or context-switching to serve different content to humans and bots. Real users see the phishing page, while security bots might see harmless content.  
*   **Geolocation-Based Targeting:** These services can restrict access to specific regions, ensuring the phishing site remains hidden from international security entities.
*   **CAPTCHAs and Challenges:** By introducing CAPTCHAs or challenge pages, anti-bot services block automated scanners that cannot solve them.

SlashNext researchers note that these services are effective against less sophisticated security bots. However, advanced security measures and manual analysis by security professionals can still detect these phishing sites.

Via SlastNext

“These services represent the latest evolution in the ongoing cat-and-mouse game between cybercriminals and security measures,” SlashNext researchers explained in the blog post.

Anti-bot services are constantly evolving to stay ahead of security measures. As new detection techniques emerge, these services will likely adapt to counter them. Cybersecurity teams must remain vigilant and adopt advanced threat detection methods to combat the growing sophistication of phishing attacks.

1.  EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA
2.  Cybercriminals Beta Test New Attack to Bypass AI Security
3.  Trio Run “OTP Agency” Enabling Bank Fraud and 2FA Bypass
4.  Phishing Attacks Bypass Microsoft 365 Email Safety Warnings
5.  Unicode QR Code Phishing Scam Bypasses Traditional Security

Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page

Ubuntu Security Notice 7072-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7072-2October 21, 2024linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1068-gke     5.15.0-1068.74  linux-image-gke                 5.15.0.1068.67  linux-image-gke-5.15            5.15.0.1068.67After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7072-2  https://ubuntu.com/security/notices/USN-7072-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1068.74

Ubuntu Security Notice USN-7072-2

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.
Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.
Tracked under the names BlackWidow, IceNova, Lotus,

Malware / Threat Intelligence

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.

Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.

Tracked under the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, is also considered to be a successor to IcedID owing to infrastructure overlaps between the two malware families. It has been used in campaigns associated with two initial access brokers (IABs) known as TA577 (aka Water Curupira) and TA578.

In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

"Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure went offline," Bitsight security researcher João Batista noted back in June 2024.

Cybersecurity firm Trustwave, in an analysis published earlier this month, described Latrodectus as a "distinct threat" that has received a boost following Operation Endgame.

"While initially impacted, Latrodectus quickly rebounded. Its advanced capabilities filled the void left by its disabled counterparts, establishing itself as a formidable threat," the cybersecurity company said.

Attack chains typically leverage malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Google Cloud to activate the malware deployment process.

The newly observed infection sequence by Forcepoint and Logpoint takes the same route, with the DocuSign-themed email messages bearing PDF attachments containing a malicious link or HTML files with embedded JavaScript code that are engineered to download an MSI installer and a PowerShell script, respectively.

Regardless of the method employed, the attack culminates in the deployment of a malicious DLL file that, in turn, launches the Latrodectus malware.

"Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive, and business sectors," Forcepoint researcher Mayur Sewani said.

The ongoing Latrodectus campaigns dovetail with the return of the Bumblebee loader, which employs a ZIP archive file likely downloaded via phishing emails as a delivery mechanism.

"The ZIP file contains an LNK file named 'Report-41952.lnk' that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk," Netskope researcher Leandro Fróes said.

The LNK file is intended to execute a PowerShell command to download an MSI installer from a remote server. Once launched, the MSI samples, which masquerade as installers from NVIDIA and Midjourney, serve as a channel to launch the Bumblebee DLL.

"Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk," Fróes pointed out.

"It does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a file in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table and in our case it was the final payload DLL."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google