Bumblebee malware attacks are back after 4-month break

Trending 2 weeks ago


The Bumblebee malware has returned aft a four-month vacation, targeting thousands of organizations successful nan United States successful phishing campaigns.

Bumblebee is simply a malware loader discovered in April 2022 and is believed to person been developed by nan Conti and Trickbot cybercrime syndicate arsenic a replacement for nan BazarLoader backdoor.

The malware is commonly distributed successful phishing campaigns to driblet further payloads connected infected devices, specified arsenic Cobalt Strike beacons, for first web entree and to behaviour ransomware attacks.

In a caller malware campaign observed by Proofpoint, nan return of Bumblebee since October is important arsenic it could lead to a broader summation successful cybercrime activities arsenic we caput into 2024.

Spreading done clone voicemails

The caller phishing run pushing Bumblebee pretends to beryllium voicemail notifications that utilize nan taxable of "Voicemail February" and were sent to thousands of organizations successful nan U.S. from nan reside "info@quarlessa[.]com."

Phishing email spreading BumblebeePhishing email spreading Bumblebee
Source: Proofpoint

The emails incorporate a OneDrive URL that downloads a Word archive named "ReleaseEvans#96.docm" aliases thing similar, pinch a lure pretending to beryllium from user electronics institution hu.ma.ne, known for its AI-powered pin.

The bogus archive containing nan VBA macroThe bogus archive containing nan VBA macro
Source: Proofpoint

The malicious archive employs macros to create a book record successful nan Windows temp files and past executes nan dropped record utilizing "wscript."

This impermanent record contains a PowerShell bid that fetches and executes nan adjacent shape from a distant server, which yet downloads and launches nan Bumblebee DLL (w_ver.dll) connected nan victim's system.

Proofpoint comments that utilizing VBA macros successful documents is notable and different pursuing Microsoft's determination to artifact macros by by default successful 2022, making it harder for nan run to execute overmuch success.

Previous Bumblebee campaigns employed methods for illustration nonstop DLL downloads, HTML smuggling, and exploitation of vulnerabilities specified arsenic CVE-2023-38831 to present nan last payload, truthful nan existent onslaught concatenation represents a important departure from much modern techniques.

Possible explanations for this see evasion since malicious VBAs are now little communal aliases niche/narrow targeting aimed astatine severely outdated systems. Additionally, Bumblebee whitethorn beryllium testing and diversifying its distribution methods.

Proofpoint says Bumblebee has experimented pinch macro-laden documents successful past campaigns, though those cases correspond to conscionable 4.3% of nan full recorded (230 campaigns).

Before Bumblebee's break, nan past notable improvement successful nan malware was successful September 2023, erstwhile nan malware employed a caller distribution method relying connected the abuse of 4shared WebDAV services to evade blocklists.

Cybercrime backmost to work

Bumblebee is typically rented to cybercriminals who want to bypass nan first entree shape and present their payloads into already-breached systems.

Proofpoint says there's not capable grounds to property nan caller run to immoderate peculiar threat groups. However, nan researchers opportunity nan run bears nan hallmarks of nan threat actors they way arsenic TA579.

According to Proofpoint, different threat actors who person precocious shown a resurgence successful their activities see TA576, TA866, TA582, and TA2541.

Law enforcement authorities' disruption of QBot (Qakbot) has created a void successful nan payload distribution market, which different malware are attempting to fill.

Notable cases include DarkGate and Pikabot, 2 highly tin malware loaders that now thrust infections via aggregate channels, including phishing, malvertising, and messages on Skype and Microsoft Teams.

Zscaler published a report on Pikabot yesterday, noting that nan malware has reemerged pinch a new, simplified type this month, pursuing a short hiatus aft Christmas past year.

The caller Pikabot type has stripped nan precocious codification obfuscation techniques utilized antecedently and uses a little versatile configuration system, truthful it looks for illustration an early merchandise of a revamped variant.