Security
Headlines
HeadlinesLatestCVEs

Headline

Bumblebee Malware Buzzes Into Cyberattack Fray

The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.

DARKReading
#web#mac#google#git#backdoor#perl#auth#sap

At least three separate waves of cyberattacks are underway that feature a sophisticated new malware loader dubbed Bumblebee that fetches shell code and second-stage tools, such as Cobalt Strike, Sliver, and Meterpreter – possibly in a run-up to ransomware attacks.

As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint.

“Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization,” researchers explain in a report issued on Thursday. “Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).”

Further, Bumblebee appears to be a significantly upgraded replacement for the well-known BazaLoader tool that often presages ransomware attacks.

“Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,” researchers note in the report. And “campaigns identified by Proofpoint overlap with activity detailed [by Google] as leading to Conti and Diavol ransomware.”

**BazaLoader Replacement
**Bumblebee first buzzed onto the scene in March, shortly after BazaLoader disappeared from Proofpoint’s telemetry, researchers said.

BazaLoader was up until then a common malware first seen in 2020, sharing the cybercrime spotlight with other favored initial-access baddies, such as Emotet, Trickbot, and IcedID. Notably, it was employed in several high-volume campaigns that led to Conti ransomware infections.

“BazaLoader’s apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks, when, at the end of February, a Ukrainian researcher with access to Conti’s internal operations began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader was identified in the leaked files,” researchers explain in the report.

Now Bumblebee is cropping up in campaigns run by the same crimeware groups previously observed delivering BazaLoader, the report notes. Proofpoint added that the groups are likely initial-access brokers (IABs), which dovetails with the previously mentioned Google TAG research. IABs infiltrate targets and sell specialized access to backdoored corporate networks on the Dark Web, and they often partner with ransomware operators as part of a thriving underground economy. They excel at finding unpatched machines, password-cracking and brute-forcing, social engineering and phishing, and other common avenues for infection.

“Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee,” Proofpoint researchers say. “Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial-access facilitators.”

Hive of Activity: Ongoing Cybercrime Campaigns
Starting in March, Proofpoint observed Bumblebee campaigns distributed via email campaigns by at least three tracked threat actors.

“While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week,” according to the report. ISO files are used to store images of optical disks, DVDs, CDs, and other media.

In one case, a DocuSign-branded email campaign was designed to trick targets into downloading a malicious, zipped ISO file purporting to be an unpaid invoice, hosted on OneDrive. The emails contained either a hyperlink asking recipients to “REVIEW THE DOCUMENT" in the body of the message, or they used HTML attachments.

“The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim,” explain the researchers. “The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.”

The ISO file contained a shortcut file named “ATTACHME.LNK,” which, when clicked, executed “Attachments.dat” with the correct parameters to run the Bumblebee downloader.

In another case, a campaign used thread jacking (i.e., when cybercriminals reply to existing email exchanges, inserting themselves into legitimate conversations) to deliver emails with malicious zipped ISO attachments.

And in yet another case, emails were generated by submitting a message to a contact form on the target’s website, while leaving public comments regarding the topic on the target’s site. As a lure, the attackers made claims about stolen images on the website. These “complaints” contained a link to a landing page that directed the user to the download of a malicious ISO file.

A bogus ‘complaint’ about the use of stolen images.

Source: Proofpoint

“The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape,” researchers conclude. “Proofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee are receiving it from the same source.”

To protect themselves, organizations should shore up basic security hygiene, such as timely patching and strong password/multifactor authentication use – and also work with employees to instill awareness of email-borne threats and common social-engineering trickery.

**Malware Analysis: This Is No Bumbler
**Bumblebee is new and still under active development, but it’s already a sophisticated threat that organizations should watch out for, Proofpoint warned.

Once installed, the loader gathers system information and generates a “client ID.” It then hooks up with the C2 (the address(es) are stored in plaintext) and checks in at randomized intervals of seconds to retrieve commands.

Bumblebee supports the following commands:

  • Shi: shellcode injection
  • Dij: DLL injection
  • Dex: Download executable
  • Sdl: uninstall loader
  • Ins: enable persistence on the bot

Notably, it contains powerful anti-analysis and evasion tactics, including sandbox and virtual-machine awareness, the addition of an encryption layer to the network communications, and a check on current running processes against a hardcoded list of common tools used by malware analysts.

“The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift [tactics, techniques, and procedures] and adopt new malware,” says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “Additionally, the malware is quite sophisticated and demonstrates being in ongoing, active development, introducing new methods of evading detection.”

Related news

Ambient.ai Expands Computer Vision Capabilities for Better Building Security

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

Threat Source newsletter (April 28, 2022) — The 2022 Cybersecurity Mock Draft

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me.  In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Cybercriminals Using New Malware Loader 'Bumblebee' in the Wild

Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that's under active development. "Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new,

U.S Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021. <!--adsense--> That's according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand

CISA: Log4Shell Was the Most-Exploited Vulnerability in 2021

Internet-facing zero-day vulnerabilities were the most commonly used types of bugs in 2021 attacks, according to the international Joint Cybersecurity Advisory (JCSA).

DARKReading: Latest News

Varonis Warns of Bug Discovered in PostgreSQL PL/Perl