Cybercriminals Using New Malware Loader ‘Bumblebee’ in the Wild

Cybercriminal actors previously observed delivering BazaLoader
and IcedID as part of their malware campaigns are said to have
transitioned to a new loader called Bumblebee that’s under active
development.

“Based on the timing of its appearance in the threat landscape
and use by multiple cybercriminal groups, it is likely Bumblebee
is, if not a direct replacement for BazaLoader, then a new,
multifunctional tool used by actors that historically favored other
malware,” enterprise security firm Proofpoint said^[1]
in a report shared with The Hacker News.

Campaigns distributing the new highly sophisticated loader are
said to have commenced in March 2022, while sharing overlaps with
malicious activity leading to the deployment of Conti and Diavol
ransomware, raising the possibility that the loader could act as a
precursor for ransomware attacks.

“Threat actors using Bumblebee are associated with malware
payloads that have been linked to follow-on ransomware campaigns,”
the researchers said.

Besides featuring anti-virtualization checks, Bumblebee is
written in C++ and is engineered to act as a downloader for
retrieving and executing next-stage payloads, including Cobalt
Strike, Sliver, Meterpreter, and shellcode.

Interestingly, the increased detection of the malware loader in
the threat landscape corresponds to the disappearance of BazaLoader
deployments since February 2022, another popular loader developed
by the makers of the now-defunct TrickBot gang, which has since
been absorbed into Conti.

Attack chains distributing Bumblebee have taken the form of
DocuSign-branded email phishing lures incorporating fraudulent
links or HTML attachments, leading potential victims to a
compressed ISO file hosted on Microsoft OneDrive.

What’s more, the embedded URL in the HTML attachment makes use
of a traffic direction system (TDS) dubbed Prometheus^[2]
— which is available for sale on underground platforms for $250 a
month — to redirect the URLs to the archive files based on the time
zone and cookies of the victims.

The ZIP files, in turn, include .LNK and .DAT files, with the
Windows shortcut file executing the latter containing the Bumblebee
downloader, before using it to deliver BazaLoader and IcedID
malware.

A second campaign in April 2022 involved a thread-hijacking
scheme in which legitimate invoice-themed emails were taken over to
send zipped ISO files, which were then used to execute a DLL file
to activate the loader.

Also observed is the abuse of the contact form present on the
target’s website to send a message claiming copyright violations of
images, pointing the victim to a Google Cloud Storage link that
results in the download of a compressed ISO file, thereby
continuing the aforementioned infection sequence.

The transition from BazarLoader to Bumblebee is further evidence
that these threat actors — likely initial access brokers who
infiltrate targets and then sell that access to others — are
receiving the malware from a common source, while also signaling a
departure after the Conti group’s attack toolkit^[3]
became public knowledge^[4]
around the same time.

The development also overlaps with Conti taking over the
infamous TrickBot botnet^[5] and shutting it down to
focus on the development of BazarLoader and Anchor malware. It’s
not immediately clear if the leaks prompted the gang to abandon
BazaLoader in favor of Bumblebee.

“The introduction of the Bumblebee loader to the crimeware
threat landscape and its apparent replacement for BazaLoader
demonstrates the flexibility threat actors have to quickly shift
TTPs and adopt new malware,” Sherrod DeGrippo, vice president of
threat research and detection at Proofpoint, said.

“Additionally, the malware is quite sophisticated, and
demonstrates being in ongoing, active development introducing new
methods of evading detection,” DeGrippo added.