Proofpoint research has revealed that the Bumblebee malware has resurfaced after a four-month hiatus from the cyber threat landscape. The new campaign, which was detected in February 2024, marked a significant departure from previous Bumblebee infiltrations.
This resurgence coincides with the reappearance of several notorious threat actors at the beginning of 2024 following a temporary “Winter lull,” according to the researchers. Bumblebee was frequently utilized by multiple threat actors from March 2022 through October 2023, with Proofpoint identifying a total of 230 Bumblebee campaigns during this period.
The sophisticated downloader is primarily used as an initial access broker to download and execute additional payloads such as Cobalt Strike, shellcode, Sliver, and Meterpreter. Various methods have been employed to distribute Bumblebee, including the trojanization of popular software tools such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace to infect victims.
The latest Bumblebee campaign noted by Proofpoint involves a new attack chain that was observed after the malware disappeared from the radar in October 2023. The attackers utilized social engineering techniques to entice targets into downloading Bumblebee, sending several thousand emails with OneDrive URLs containing a Word file with names like “ReleaseEvans#96.docm.”
This Word document spoofed consumer electronics firm Humane and employed macros to create a script in the Windows temporary directory, with the dropped file executed using “wscript.” The dropped temporary file contained a PowerShell command that downloaded and executed the next stage of the attack chain from a remote server, which involved another PowerShell command in the file “update_ver” downloading and running the Bumblebee DLL.
The researchers highlighted several unique characteristics associated with this new Bumblebee campaign, including the use of VBA macro-enabled documents in the attack chain, a departure from the approaches used in previous campaigns.
While Proofpoint has not been able to attribute the new campaign to a tracked threat actor, they noted that some of the techniques used align with previous activities of the TA579 group. The researchers also pointed out that several tracked threat actors have resumed activities after an absence at the end of 2023, including TA577 returning to deliver the Qbot malware at the end of January.
Proofpoint expects this “high operational tempo” to continue until anticipated summer breaks, as 2024 has started with a surge in cybercriminal activity. The researchers continue to observe new and creative attack chains, attempts to bypass detections, and updated malware from many threat actors and unattributed threat clusters.
Overall, the emergence of the new Bumblebee campaign underscores the ever-evolving nature of cyber threats and the need for organizations to remain vigilant and adopt robust security measures to protect against such sophisticated attacks. With threat actors constantly adapting and refining their tactics, cybersecurity professionals must remain proactive in detecting and mitigating the risks posed by malware such as Bumblebee.