Headline
Cybercriminals Using New Malware Loader 'Bumblebee' in the Wild
Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that’s under active development. "Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new,
Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that’s under active development.
“Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware,” enterprise security firm Proofpoint said in a report shared with The Hacker News.
Campaigns distributing the new highly sophisticated loader are said to have commenced in March 2022, while sharing overlaps with malicious activity leading to the deployment of Conti and Diavol ransomware, raising the possibility that the loader could act as a precursor for ransomware attacks.
“Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,” the researchers said.
Besides featuring anti-virtualization checks, Bumblebee is written in C++ and is engineered to act as a downloader for retrieving and executing next-stage payloads, including Cobalt Strike, Sliver, Meterpreter, and shellcode.
Interestingly, the increased detection of the malware loader in the threat landscape corresponds to the disappearance of BazaLoader deployments since February 2022, another popular loader developed by the makers of the now-defunct TrickBot gang, which has since been absorbed into Conti.
Attack chains distributing Bumblebee have taken the form of DocuSign-branded email phishing lures incorporating fraudulent links or HTML attachments, leading potential victims to a compressed ISO file hosted on Microsoft OneDrive.
What’s more, the embedded URL in the HTML attachment makes use of a traffic direction system (TDS) dubbed Prometheus — which is available for sale on underground platforms for $250 a month — to redirect the URLs to the archive files based on the time zone and cookies of the victims.
The ZIP files, in turn, include .LNK and .DAT files, with the Windows shortcut file executing the latter containing the Bumblebee downloader, before using it to deliver BazaLoader and IcedID malware.
A second campaign in April 2022 involved a thread-hijacking scheme in which legitimate invoice-themed emails were taken over to send zipped ISO files, which were then used to execute a DLL file to activate the loader.
Also observed is the abuse of the contact form present on the target’s website to send a message claiming copyright violations of images, pointing the victim to a Google Cloud Storage link that results in the download of a compressed ISO file, thereby continuing the aforementioned infection sequence.
The transition from BazarLoader to Bumblebee is further evidence that these threat actors — likely initial access brokers who infiltrate targets and then sell that access to others — are receiving the malware from a common source, while also signaling a departure after the Conti group’s attack toolkit became public knowledge around the same time.
The development also overlaps with Conti taking over the infamous TrickBot botnet and shutting it down to focus on the development of BazarLoader and Anchor malware. It’s not immediately clear if the leaks prompted the gang to abandon BazaLoader in favor of Bumblebee.
“The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift TTPs and adopt new malware,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said.
“Additionally, the malware is quite sophisticated, and demonstrates being in ongoing, active development introducing new methods of evading detection,” DeGrippo added.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.
The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me. In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021. <!--adsense--> That's according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand
Internet-facing zero-day vulnerabilities were the most commonly used types of bugs in 2021 attacks, according to the international Joint Cybersecurity Advisory (JCSA).