Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.

Cybersecurity companies have analyzed “Bumblebee,” a relatively new custom malware downloader that appears to have been used by several cybercrime groups.

Written in C++, Bumblebee is mostly condensed in a single function responsible for initialization, handling of responses, and sending requests. At the moment, the downloader’s configuration is stored in plaintext, but its developers may start employing obfuscation in the future.

Once executed on a victim machine, the threat collects information about the system and then starts communicating with the command and control (C&C) server. Based on the amount of time it takes for Bumblebee to receive jobs to execute, payloads are likely manually deployed.

Bumblebee also packs anti-VM and anti-sandbox checks, and, in the latest version, a randomized sleep interval was added, along with an encryption layer to the network communications.

In a report on Friday, the NCC group noted that the threat’s backend is written in Golang, and that the malware’s operators “did not implement a command to update the loader’s binary, resulting the loss of existing infections.”

In a March 2022 report, Google mentioned the use of the Bumblebee custom downloader in some attacks associated with Exotic Lily, an initial access broker involved in data exfiltration operations that typically led to the deployment of ransomware families such as Conti and Diavol.

On Thursday, Proofpoint published a technical report on the malware downloader, reiterating Google’s findings and also saying that Bumblebee has been used to deploy malware such as Cobalt Strike and Meterpreter, along with Sliver and other payloads.

However, the cybersecurity firm also pointed out that at least three different threat actors appear to have been using Bumblebee in campaigns, and that they have employed different techniques for delivery, including emails carrying ISO or HTML files as attachments or emails generated by contact forms.

Advertisement. Scroll to continue reading.

In April, Proofpoint observed a thread-hijacking campaign in which Bumblebee was deployed via emails that appeared to be replies to legitimate messages, and which carried zipped ISO attachments.

At least one of the observed campaigns, Proofpoint says, can be attributed to TA578, a threat actor that was previously seen distributing malware such as BazaLoader, Buer Loader, Cobalt Strike, IcedID, KPOT Stealer, and Ursnif.

“Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial access facilitators, that is, independent cybercriminal groups that infiltrate major targets and then sell access to follow-on ransomware actors,” the cybersecurity firm notes.

Related: North Korean Group Kimsuky Targets Government Agencies With New Malware

Related: Hamas-Linked Hackers Using Sexy ‘Catfish’ Lures, New Malware

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.