Bumblebee, a new malware loader used by multiple crimeware threat actors

Threat actors have replaced the BazaLoader and IcedID malware with a new loader called Bumblebee in their campaigns.

Cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns seem to have adopted a new loader called Bumblebee.

The loader appears to be under development and is a highly sophisticated malware that first appeared in the threat landscape in March 2022.

Proofpoint researchers have tracked at least three clusters of activity associated with the distribution of the Bumblebee. The campaigns overlap with activity detailed by the Google Threat Analysis Group in March that aimed at distributing Conti and Diavol ransomware.

Bumblebee implements anti-virtualization checks and a unique implementation of common downloader capabilities, it was observed dropping Cobalt Strike, shellcode, Sliver and Meterpreter. 

“Bumblebee is a sophisticated malware loader that demonstrates evidence of ongoing development. It is used by multiple cybercrime threat actors.” reads the analysis published by ProofPoint. “Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware.”

The attacks observed by Proofpoint experts employed DocuSign-branded messages and aimed at tricking recipients into downloading a malicious ISO file hosted on OneDrive.

In one of the paths observed by the experts, threat actors send messages containing a “REVIEW THE DOCUMENT” hyperlink, while another one leverages an HTML attachment containing an URL that use of a traffic direction system (TDS) dubbed Prometheus to filter downloads based on the time zone and cookies of the potential victim.

Attackers also attempted to abuse the contact form on the target’s website and send to the recipient a message claiming copyright violations of images. The message includes a link to a landing page that directed the user to the download of an ISO file containing “DOCUMENT_STOLENIMAGES.LNK” and “neqw.dll”).

Proofpoint also observed a second campaign in April 2022 involved a thread-hijacking campaign delivering emails that appeared to be the replies to existing benign email conversations with malicious zipped ISO attachments (“doc_invoice_[number].zip”).

Proofpoint reported significant changes to Bumblebee functionality in the latest version of the loader employed in the April campaigns, such as the support for multiple C2s and the addition of an encryption layer to the network communications.

Experts believe that the threat actors using Bumblebee could be initial access brokers that have received the loader from the same threat actors.

Further technical details about the loader are included in the Proofpoint report along with Indicators of Compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bumblebee)

[adrotate banner=”5″]

[adrotate banner=”13″]