Old loader – new methods: Bumblebee causes a stir in American companies again

[Teacher]

The malware disappeared from radar 4 months ago, and now it has appeared before researchers in an even more sophisticated form.

The Bumblebee malware returned after a four-month hiatus and attacked thousands of organizations in the US with large-scale phishing campaigns.

Bumblebee is a bootloader discovered in April 2022. Presumably, it was developed by the criminal groups Conti and Trickbot as a replacement for the BazarLoader backdoor.

The software is usually distributed in phishing emails to install additional malware on infected devices. This can be a Cobalt Strike, which is used for initial penetration into the network,or ordinary ransomware.

In the new campaign, Bumblebee is hidden in fake voice message notifications. Users are sent emails allegedly from info@quarlessa[.] com with the subject " Voice message. February".

The message text contains a link to OneDrive, which loads a Word document with the name "ReleaseEvans#96.docm" or a similar name. This document contains macros for installing Bumblebee.

The use of macros in documents is unusual, given that Microsoft blocked them by default in 2022. Attackers may be trying to bypass the protection in this way.

Previously, methods such as direct DLL loading, embedding in HTML, and exploiting vulnerabilities were used to deliver Bumblebee. This is another difference between the current attack and more modern methods.

Bumblebee has experimented with documents containing macros in the past, but such cases accounted for only 4.3% of all registered campaigns.

Before the four-month break, in September 2023, the researchers noted a new method of spreading Bumblebee. Then the attackers began to use vulnerabilities in the WebDAV web service to bypass the lock and deliver the loader to the victims ' computers.

Although the new campaign cannot yet be attributed to any specific attackers, the handwriting is very similar to the activities of the TA579 group.

Experts warn that the return of Bumblebee could herald a surge in cybercrime in 2024. Along with it, other malware carriers, such as Pikabot, have also become active.

 

[Teacher]

The malware Bumblebee has returned after a four-month hiatus and targeted thousands of organizations in the United States with its phishing campaigns.

Let me remind you that Bumblebee was first discovered in April 2022. As the researchers explained at the time, it is a multi-functional tool that can be used for initial access to victims ' networks and subsequent deployment of other payloads, including cryptographers. Researchers believe that Bumblebee is associated with the Conti and Trickbot groups and was created as a replacement for the BazarLoader backdoor.

The new campaign, discovered by Proofpoint specialists, has been active since October 2023, and researchers believe that in 2024, hackers ' activity will continue to gain momentum.

This time, Bumblebee is being distributed under the guise of fake voice messages. Now phishing emails are disguised as new voicemail notifications and use the subject "Voicemail February". Such messages were sent to thousands of organizations in the United States from the address info@quarlessa [.] com.

The emails contain a link to OneDrive, where a decoy document called ReleaseEvans#96.docm is uploaded. In the document, hackers impersonate a company representative hu.ma.ne ostensibly specializing in consumer electronics and known for its AI products.

The malicious document uses macros to create a script file in a temporary Windows folder, and then runs it using the wscript command. This temporary file contains a PowerShell command that receives and executes the next stage of the attack from a remote server, which eventually downloads and runs the Bumblebee DLL (w_ver.dll) in the victim's system.

Proofpoint notes that the use of VBA macros in documents is unusual and quite remarkable, since Microsoft decided to block such macros by default back in 2022. Previous Bumblebee campaigns have used techniques such as direct DLL loading, HTML smuggling, and vulnerability exploitation to deliver the final payload.

Experts explain that these changes may be related to attempts to evade detection, because malicious VBA is now less common. It is also possible that hackers specifically target their attacks on highly outdated systems. In addition, according to Proofpoint, in previous campaigns, Bumblebee operators have already experimented with documents containing macros, but these cases accounted for only 4.3% of the total number of attacks.

Bumblebee is usually rented by hackers who want to bypass the initial hacking stage and immediately inject their payload into already compromised systems. The researchers write that they do not have sufficient evidence to attribute the recent campaign to any particular hack group. However, according to them, this campaign is similar to the operations of the group that they track under the code name TA579.