Bumblebee Malware returns with new tricks aimed at US companies

Bumblebee Malware

The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign spotted in February 2024.

Enterprise security company Proofpoint said the activity is targeting organizations in the US with voicemail-themed lures with links to OneDrive URLs.

“The URLs led to a Word file with names like ‘ReleaseEvans#96.docm’ (the numbers before the file extension varied),” the company said. said in a Tuesday report. “The Word document spoofed the consumer electronics company Humane.”

When opening the document, VBA macros are used to initiate a PowerShell command to download and run another PowerShell script from a remote server, which in turn retrieves and runs the Bumblebee loader .

First spotted in March 2022, Bumblebee is primarily designed to download and execute follow-on payloads such as ransomware. It has been deployed by multiple crimeware threat actors who previously observed BazaLoader (also known as BazarLoader) and IcedID.

It is also suspected to have been developed by threat actors, cybercrime syndicate Conti and TrickBot, as a replacement for BazarLoader. In September 2023, Intel 471 announced a Bumblebee distribution campaign using Web Distributed Authoring and Versioning (WebDAV) servers to distribute the loader.

The attack chain is notable for its reliance on documents containing macros in the attack chain, especially considering that as of July 2022, Microsoft began blocking macros by default in Office files downloaded from the Internet, prompting threat actors to adapt their approach and diversify.

The return of Bumblebee also coincides with the return of new variants of QakBot, ZLoader and PikaBot, with samples of QakBot being distributed in the form of Microsoft Software Installer (MSI) files.

“The .MSI drops a Windows .cab (Cabinet) archive, which in turn contains a DLL,” says cybersecurity firm Sophos said on Mastodon. “The .MSI extracts the DLL from the .cab and executes it using shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the memory space of the second instance.”

The latest QakBot artifacts have been found to strengthen the encryption used to hide strings and other information, including the use of a crypter malware called DaveCrypter, making it more difficult to analyze. The new generation also restores the ability to detect whether the malware was running in a virtual machine or sandbox.

Another crucial change includes encrypting all communications between the malware and the command-and-control (C2) server using AES-256, a stronger method than was used in versions prior to the dismantling of the QakBot infrastructure at the end August 2023.

“The removal of the QakBot botnet infrastructure was a victory, but the bot’s creators remain free, and someone with access to QakBot’s original source code has been experimenting with new builds and testing the waters with these latest variants,” says Andrew Brandt , Lead researcher. at Sophos X-Ops, said.

“One of the most notable changes involves a change to the encryption algorithm that the bot uses to hide default configurations hardcoded into the bot, making it harder for analysts to see how the malware works; The attackers are also restoring previously deprecated features such as virtual machine (VM) awareness and testing in these new versions.”

The development comes as Malwarebytes revealed a new campaign in which phishing sites impersonating financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to fix supposedly non-existent issues and ultimately let threat actors take control of the machine.

#Bumblebee #Malware #returns #tricks #aimed #companies

Notify of
Inline Feedbacks
View all comments
Previous Post
Linux Rogue Packages

The Ubuntu ‘command-not-found’ tool can trick users into installing rogue packages

Next Post
Microsoft SmartScreen Zero-Day Vulnerability

DarkMe malware targets merchants using Microsoft SmartScreen Zero-Day vulnerability

Related Posts