informa
6 min read
article

Bumblebee Malware Buzzes Into Cyberattack Fray

The sophisticated Bumblebee downloader is being used in ongoing email-borne attacks that could lead to ransomware infections.

At least three separate waves of cyberattacks are underway that feature a sophisticated new malware loader dubbed Bumblebee that fetches shell code and second-stage tools, such as Cobalt Strike, Sliver, and Meterpreter – possibly in a run-up to ransomware attacks.

As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint.

"Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization," researchers explain in a report issued on Thursday. "Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)."

Further, Bumblebee appears to be a significantly upgraded replacement for the well-known BazaLoader tool that often presages ransomware attacks. 

"Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns," researchers note in the report. And "campaigns identified by Proofpoint overlap with activity detailed [by Google] as leading to Conti and Diavol ransomware."

BazaLoader Replacement
Bumblebee first buzzed onto the scene in March, shortly after BazaLoader disappeared from Proofpoint’s telemetry, researchers said.

BazaLoader was up until then a common malware first seen in 2020, sharing the cybercrime spotlight with other favored initial-access baddies, such as Emotet, Trickbot, and IcedID. Notably, it was employed in several high-volume campaigns that led to Conti ransomware infections.

"BazaLoader's apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks, when, at the end of February, a Ukrainian researcher with access to Conti's internal operations began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader was identified in the leaked files," researchers explain in the report.

Now Bumblebee is cropping up in campaigns run by the same crimeware groups previously observed delivering BazaLoader, the report notes. Proofpoint added that the groups are likely initial-access brokers (IABs), which dovetails with the previously mentioned Google TAG research. IABs infiltrate targets and sell specialized access to backdoored corporate networks on the Dark Web, and they often partner with ransomware operators as part of a thriving underground economy. They excel at finding unpatched machines, password-cracking and brute-forcing, social engineering and phishing, and other common avenues for infection.

"Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee," Proofpoint researchers say. "Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial-access facilitators."

Hive of Activity: Ongoing Cybercrime Campaigns
Starting in March, Proofpoint observed Bumblebee campaigns distributed via email campaigns by at least three tracked threat actors.

“While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week,” according to the report. ISO files are used to store images of optical disks, DVDs, CDs, and other media.

In one case, a DocuSign-branded email campaign was designed to trick targets into downloading a malicious, zipped ISO file purporting to be an unpaid invoice, hosted on OneDrive. The emails contained either a hyperlink asking recipients to “REVIEW THE DOCUMENT" in the body of the message, or they used HTML attachments.

“The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim,” explain the researchers. “The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.”

The ISO file contained a shortcut file named "ATTACHME.LNK," which, when clicked, executed "Attachments.dat" with the correct parameters to run the Bumblebee downloader.

In another case, a campaign used thread jacking (i.e., when cybercriminals reply to existing email exchanges, inserting themselves into legitimate conversations) to deliver emails with malicious zipped ISO attachments.

And in yet another case, emails were generated by submitting a message to a contact form on the target's website, while leaving public comments regarding the topic on the target's site. As a lure, the attackers made claims about stolen images on the website. These "complaints" contained a link to a landing page that directed the user to the download of a malicious ISO file.

Bumblebee.PNG
A bogus 'complaint' about the use of stolen images.
Source: Proofpoint

"The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape," researchers conclude. "Proofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee are receiving it from the same source."

To protect themselves, organizations should shore up basic security hygiene, such as timely patching and strong password/multifactor authentication use – and also work with employees to instill awareness of email-borne threats and common social-engineering trickery.

Malware Analysis: This Is No Bumbler
Bumblebee is new and still under active development, but it’s already a sophisticated threat that organizations should watch out for, Proofpoint warned.

Once installed, the loader gathers system information and generates a "client ID." It then hooks up with the C2 (the address(es) are stored in plaintext) and checks in at randomized intervals of seconds to retrieve commands.

Bumblebee supports the following commands:

  • Shi: shellcode injection
  • Dij: DLL injection
  • Dex: Download executable
  • Sdl: uninstall loader
  • Ins: enable persistence on the bot

Notably, it contains powerful anti-analysis and evasion tactics, including sandbox and virtual-machine awareness, the addition of an encryption layer to the network communications, and a check on current running processes against a hardcoded list of common tools used by malware analysts.

"The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift [tactics, techniques, and procedures] and adopt new malware," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. "Additionally, the malware is quite sophisticated and demonstrates being in ongoing, active development, introducing new methods of evading detection."