Infamous Bumblebee Malware Re-emerges with New Assault Strategies

Bumblebee malware has re-emerged following a four-month absence from the cyber menace panorama, based on Proofpoint analysis.

The brand new marketing campaign, noticed in February 2024, used a “considerably totally different” assault chain in comparison with earlier Bumblebee infiltrations.

The return of Bumblebee coincides with the reappearance of a number of infamous menace actors at first of 2024 following a brief “Winter lull,” the researchers added.

Bumblebee was steadily noticed being utilized by a number of menace actors from March 2022 by way of to October 2023. In complete, Proofpoint recognized 230 Bumblebee campaigns throughout this era.

The subtle downloader is primarily used as an initial access broker, to obtain and execute further payloads, reminiscent of Cobalt Strike, shellcode, Sliver and Meterpreter.

A spread of artistic strategies have been used to distribute Bumblebee. For instance, Secureworks reported in April 2023 that popular software tools reminiscent of Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace had been trojanized to contaminate victims.

What Does the Bumblebee Marketing campaign Look Like?

Proofpoint mentioned Bumblebee “disappeared” from its radar in October 2023, earlier than observing a brand new marketing campaign designed to distribute the malware in February 2024.

The attackers utilized social engineering strategies to entice targets into downloading Bumblebee. Within the marketing campaign, a number of thousand emails have been despatched from the deal with “information@quarlesaa[.]com to organizations within the US with the topic “Voicemail February.”

These emails contained OneDrive URLs, resulting in a Phrase file with names reminiscent of “ReleaseEvans#96.docm.”

This Phrase doc spoofed shopper electronics agency Humane.

The paperwork used macros to create a script within the Home windows non permanent listing, with the dropped file executed utilizing “wscript.”

Contained in the dropped non permanent file was a PowerShell command, which downloaded and executed the following stage of the assault chain from a distant server.

This subsequent stage was one other PowerShell command saved in file “update_ver,” which downloaded and ran the Bumblebee DLL.

The researchers highlighted a spread of distinctive traits related to this new Bumblebee marketing campaign. This included the usage of VBA macro-enabled paperwork within the assault chain. Proofpoint famous that almost all cybercriminal menace actors have practically stopped utilizing VBA paperwork.

Earlier Bumblebee campaigns used approaches like combining URLs and attachments and exploiting vulnerabilities.

Menace Actors Resume Campaigns Following Winter Break

Proofpoint has not been in a position to attribute the brand new marketing campaign to a tracked menace actor. Nevertheless, the researchers famous that a few of the strategies used, such because the voicemail lure theme and use of OneDrive URLs, align with earlier actions of the TA579 group.

The blog post famous that a number of tracked menace actors have resumed actions after an absence on the finish of 2023. This consists of TA577 returning to ship the Qbot malware on the finish of January after a month-long absence from mid-December.

Proofpoint mentioned it expects this “excessive operational tempo” to proceed till anticipated summer season breaks.

“2024 has began off with a bang for cybercriminal menace actors, with exercise returning to very excessive ranges after a brief winter lull. Proofpoint researchers proceed to watch new, artistic assault chains, makes an attempt to bypass detections, and up to date malware from many menace actors and unattributed menace clusters,” the researchers wrote.