Summary: The Bumblebee malware loader has reportedly re-emerged following its disruption by Europol in May 2024, with a new infection chain identified by Netskope Threat Labs. This resurgence marks the first Bumblebee campaign since the law enforcement operation, indicating a potential revival of its malicious activities.
Threat Actor: Cybercriminal groups | Bumblebee
Victim: Individuals and organizations | cyber victims
Key Point :
- The new infection chain begins with a phishing email that prompts victims to download a ZIP file containing a malicious LNK file.
- This LNK file executes a Powershell command to download and install a disguised Microsoft Installer (MSI) file, facilitating the final Bumblebee payload execution entirely in memory.
- The use of MSI files for payload execution is a novel approach for Bumblebee, previously seen in other malware campaigns.
The Bumblebee malware loader could have re-emerged months after Europol-led Operation Endgame disrupted it in May 2024.
A new infection chain which deploys Bumblebee malware has been uncovered in a new report from Netskope Threat Labs.
This is the first occurrence of a Bumblebee campaign since Operation Endgame, a law enforcement operation performed by Europol and partners in May 2024 which disrupted major malware botnets.
The Netskope report also points to other research corroborating a possible Bumblebee return.
Background on Bumblebee
Bumblebee is a sophisticated malware loader that cybercriminal groups have actively used to distribute various types of malware, such as ransomware, infostealers, and other malicious payloads.
Google’s Threat Analysis Group (TAG) first discovered the malware in March 2022 and named it Bumblebee based on a user-agent string it used.
Bumblebee replaced other popular loaders like BazarLoader and TrickBot, which were heavily used in ransomware campaigns.
It has been linked to several ransomware groups, including Conti, Quantum, and MountLocker, all of which use it as part of their initial access strategy for deploying ransomware.
Bumblebee disappeared from the cyber threat landscape in late 2023 before re-emerging in February 2024.
Three months later, its infrastructure was taken down by Europol alongside other loaders’, including IcedID, SystemBC, Pikabot, Smokeloader and Trickbot.
Bumblebee’s New Infection Chain
The infection chain detected by Netskope likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it.
The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns.
The usage of LNK files is common in Bumblebee campaigns, either to download the next stage payloads or to directly execute files. In this case, the file is used as a downloader and is responsible for downloading and executing the next stage of the infection chain.
Once opened, the LNK file executes a Powershell command to download a Microsoft Installer (MSI) file from a remote server, renames it as ‘%AppData%y.msi’ and then executes/installs it using the Microsoft msiexec.exe tool.
The use of MSI files to execute payloads is a successful technique several adversaries, such as DarkGate and Latrodectus, regularly use.
However, this is the first time it has been seen being used to deploy Bumblebee, Leandro Fróes, the author of the Netskope report, said.
In the case of this new infection, the analyzed samples are disguised as Nvidia and Midjourney installers. They are used to load and execute the final payload all in memory, without even having to drop the payload to disk, as observed in previous campaigns using ISO files.
Source: https://www.infosecurity-magazine.com/news/possible-bumblebee-resurgence