Cyberattacks targeting thousands of US organizations wields a new attack vector to deliver the versatile initial-access loader — and is a harbinger of a surge in threat activity.

Yellow bumblebee with black eyes and antennae facing forward on a green leaf
Source: Total Moments via Alamy Stock Photo

The sophisticated Bumblebee loader is back in the threat landscape hive after a four-month hiatus, with a new email campaign targeting thousands of organizations in the US.

Bumblebee, an initial access loader used by multiple cybercriminal groups to drop various payloads like infostealers, banking Trojans, and post-compromise tools, first appeared on the scene in March 2022. Until last October, threat actors relied on it heavily as a favored malware loader — and then it disappeared from researchers' radar.

The loader was back in a campaign observed this month by the Proofpoint Threat Research Team, according to a blog post published Tuesday. The campaign employs several thousand emails with the subject "Voicemail February," sent from the sender "info@quarlesaa[.]com" and containing malicious Microsoft OneDrive URLs.

These URLs lead to a Word file with names such as "ReleaseEvans#96.docm" that spoof the consumer electronics company Humane. The attack vector eventually uses a PowerShell command to download and run a Bumblebee DLL file as an entry to further malicious activity, the researchers found.

The return of the loader is a harbinger of things to come, Proofpoint researchers noted, as it "aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware."

2024 "has started off with a bang for cybercriminal threat actors, with activity returning to very high levels after a temporary winter lull," the researchers said. "Proofpoint researchers continue to observe new, creative attack chains, attempts to bypass detections, and updated malware from many threat actors and unattributed threat clusters," adding that they expect this flurry of activity to continue until summer.

Other malicious groups returning to action after a break include groups that the researchers track as post-exploitation operator TA582; aviation and aerospace-targeting actor TA2541; and email campaigns delivered by TA571 that deliver the DarkGate malware, among others.

Bumblebee Malware's New and Noteworthy Flight Path

There are a couple of key aspects of the campaign that set it apart from previous attacks using Bumblebee. For instance, the campaign uses VBA macro-enabled documents, a tactic that's rarely used these days by threat actors since Microsoft began blocking macros by default in 2022 to thwart malicious activity, the researchers said.

In the most recent campaign, the Word document used macros to create a script in the Windows temporary directory, which the macro then executed by using the "wscript" utility. Inside the dropped temporary file was a PowerShell command that downloaded and executed the next stage from a remote server, stored in a file called “update_ver." The next stage was another PowerShell command, which in turn downloaded and ran the Bumblebee DLL.

Interestingly, the attack chains used in Bumblebee's pre-hiatus campaigns were significantly different, the researchers noted. Previous campaigns sent emails that contained URLs leading to the download of a DLL which, if executed, started Bumblebee; or the emails contained HTML attachments that leveraged HTML smuggling to drop a RAR file that, if executed, exploited the WinRAR flaw CVE-2023-38831 to install Bumblebee. 

Other previous Bumblebee campaigns leveraged emails with zipped, password-protected VBS attachments which, if executed, used PowerShell to download and execute the loader, or emails that contained zipped LNK files to download an executable file that started Bumblebee.

"Out of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros," according to the researchers.  

Defenders Beware

While Proofpoint has not attributed the recent Bumblebee campaign to any tracked threat actor — though the use of OneDrive URLs and sender address appear to align with previous TA579 activities. However, the firm included a list of indicators of compromise (IoC) to aid threat-hunting.

The researchers also urged organizations to be on alert for the malicious email campaign hallmarks noted above, and said that they have assessed with "high confidence" that Bumblebee is being used "as an initial access facilitator to deliver follow-on payloads such as ransomware."

Organizations can also employ basic security best practices to avoid compromise by malicious email campaigns, such as conducting employee training to help people identify phishing and other targeted scams, and implementing email security-scanning software that flags suspicious messages before they reach employee inboxes.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights