The sophisticated malware loader Bumblebee appears to have resurfaced after a May 2024 law enforcement operation disrupted its infrastructure, cybersecurity firm Netskope reports.
The takedown, referred to as Operation Endgame, targeted Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot, and resulted in asset freezes, infrastructure shut down, and the identities of eight suspects made public.
First discovered in March 2022 and mainly used for payload delivery, Bumblebee disappeared from the threat landscape after the disruption, but Netskope has uncovered a new infection chain that results in the loader’s deployment.
The malware downloader appears to be distributed via phishing emails luring the recipients into opening an attached ZIP archive and executing its content.
“The ZIP file contains an LNK file named ‘Report-41952.lnk’ that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns,” Netskope explains.
Bumblebee’s operators are known for their use of LNK files for payload download and file execution and the newly observed attacks are no different: the LNK file executes a Powershell command to fetch a MSI file from a remote server and install it using msiexec.exe.
User interaction is only required for running the LNK file, while the rest of the infection chain is executed automatically. The MSI files dropping the Bumblebee payload pose as Nvidia and Midjourney installers.
While previous attacks relied on legitimate binaries such as rundll32.exe and regsvr32.exe for loading malicious DLL files, the newly observed Bumblebee infection chain uses a stealthier technique, employing the SelfReg table for DLL execution.
“The mentioned DLL is present in an CAB file named ‘disk1’ and once the MSI installation starts, the DLL is loaded in the msiexec process address space and its DllRegisterServer export function is called, leading to the unpacking and execution of the Bumblebee payload,” Netskope explains.
The deployed loader version has the same internal DLL and exported functions as previously observed iterations, as well as the same configuration extraction approach, using a clear-text hardcoded key to decrypt the encrypted configuration.
Related: Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers
Related: Diversifying Defenses: FjordPhantom Malware Shows Importance of a Multi-Pronged Approach
Related: Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware