Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.
Written in C++, Bumblebee is mostly condensed in a single function responsible for initialization, handling of responses, and sending requests. At the moment, the downloader’s configuration is stored in plaintext, but its developers may start employing obfuscation in the future.
Once executed on a victim machine, the threat collects information about the system and then starts communicating with the command and control (C&C) server. Based on the amount of time it takes for Bumblebee to receive jobs to execute, payloads are likely manually deployed.
Bumblebee also packs anti-VM and anti-sandbox checks, and, in the latest version, a randomized sleep interval was added, along with an encryption layer to the network communications.
In a report on Friday, the NCC group noted that the threat’s backend is written in Golang, and that the malware’s operators “did not implement a command to update the loader’s binary, resulting the loss of existing infections.”
In a March 2022 report, Google mentioned the use of the Bumblebee custom downloader in some attacks associated with Exotic Lily, an initial access broker involved in data exfiltration operations that typically led to the deployment of ransomware families such as Conti and Diavol.
On Thursday, Proofpoint published a technical report on the malware downloader, reiterating Google’s findings and also saying that Bumblebee has been used to deploy malware such as Cobalt Strike and Meterpreter, along with Sliver and other payloads.
However, the cybersecurity firm also pointed out that at least three different threat actors appear to have been using Bumblebee in campaigns, and that they have employed different techniques for delivery, including emails carrying ISO or HTML files as attachments or emails generated by contact forms.
In April, Proofpoint observed a thread-hijacking campaign in which Bumblebee was deployed via emails that appeared to be replies to legitimate messages, and which carried zipped ISO attachments.
At least one of the observed campaigns, Proofpoint says, can be attributed to TA578, a threat actor that was previously seen distributing malware such as BazaLoader, Buer Loader, Cobalt Strike, IcedID, KPOT Stealer, and Ursnif.
“Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial access facilitators, that is, independent cybercriminal groups that infiltrate major targets and then sell access to follow-on ransomware actors,” the cybersecurity firm notes.