Cybercriminal actors beforehand noticed delivering BazaLoader and IcedID as a part of their malware campaigns are mentioned to have transitioned to a brand new loader known as Bumblebee that is underneath energetic improvement.
“Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware,” enterprise safety agency Proofpoint mentioned in a report shared with The Hacker News.
Campaigns distributing the brand new extremely refined loader are mentioned to have commenced in March 2022, whereas sharing overlaps with malicious exercise resulting in the deployment of Conti and Diavol ransomware, elevating the likelihood that the loader may act as a precursor for ransomware assaults.
“Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,” the researchers mentioned.
Besides that includes anti-virtualization checks, Bumblebee is written in C++ and is engineered to behave as a downloader for retrieving and executing next-stage payloads, together with Cobalt Strike, Sliver, Meterpreter, and shellcode.
Interestingly, the elevated detection of the malware loader within the menace panorama corresponds to the disappearance of BazaLoader deployments since February 2022, one other well-liked loader developed by the makers of the now-defunct TrickBot gang, which has since been absorbed into Conti.
Attack chains distributing Bumblebee have taken the type of DocuSign-branded electronic mail phishing lures incorporating fraudulent hyperlinks or HTML attachments, main potential victims to a compressed ISO file hosted on Microsoft OneDrive.
What’s extra, the embedded URL within the HTML attachment makes use of a site visitors course system (TDS) dubbed Prometheus — which is accessible on the market on underground platforms for $250 a month — to redirect the URLs to the archive recordsdata based mostly on the time zone and cookies of the victims.
The ZIP recordsdata, in flip, embody .LNK and .DAT recordsdata, with the Windows shortcut file executing the latter containing the Bumblebee downloader, earlier than utilizing it to ship BazaLoader and IcedID malware.
A second marketing campaign in April 2022 concerned a thread-hijacking scheme by which reputable invoice-themed emails have been taken over to ship zipped ISO recordsdata, which have been then used to execute a DLL file to activate the loader.
Also noticed is the abuse of the contact kind current on the goal’s web site to ship a message claiming copyright violations of pictures, pointing the sufferer to a Google Cloud Storage hyperlink that leads to the obtain of a compressed ISO file, thereby persevering with the aforementioned an infection sequence.
The transition from BazarLoader to Bumblebee is additional proof that these menace actors — probably preliminary entry brokers who infiltrate targets after which promote that entry to others — are receiving the malware from a typical supply, whereas additionally signaling a departure after the Conti group’s assault toolkit turned public data across the identical time.
The improvement additionally overlaps with Conti taking up the notorious TrickBot botnet and shutting it right down to concentrate on the event of BazarLoader and Anchor malware. It’s not instantly clear if the leaks prompted the gang to desert BazaLoader in favor of Bumblebee.
“The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift TTPs and adopt new malware,” Sherrod DeGrippo, vp of menace analysis and detection at Proofpoint, mentioned.
“Additionally, the malware is quite sophisticated, and demonstrates being in ongoing, active development introducing new methods of evading detection,” DeGrippo added.