A new malware loader dubbed Bumblebee is being used by multiple threat actors to deliver malicious payloads to victims’ devices. According to cybersecurity firm Proofpoint, which analyzed the Bumblebee loader, its sole purpose appears to be to download malicious payloads onto infected devices and has been observed being used to deliver the Cobalt Strike, Sliver, and Meterpreter red team frameworks.
The researchers identified three spam email campaigns delivering Bumblebee malware that used customized lures and social engineering techniques to trick recipients into installing the malware loader, including emails spoofing DocuSign claiming to be alerting the recipient about an unpaid invoice. Clicking to review the document led to the download of a zip file from a OneDrive storage account that contained an ISO file, which was used to deliver Bumblebee malware.
Another campaign used the contact form on the target’s website to claim that their website included stolen images, which also led to the download of an ISO file that included Bumblebee malware. The campaign was linked to another threat actor that had previously conducted campaigns distributing malware loaders such a IcedID and Buer loader.
The researchers believe Bumblebee malware is primarily being used by the initial access brokers that work with ransomware gangs. The analysis of Bumblebee malware uncovered several similarities with the TrickBot Trojan, which was also used to deliver malicious payloads. The developers of the TrickBot Trojan are believed to have been incorporated into the Conti ransomware operation to work on new delivery methods that are stealthier than BazarLoader.
Bumblebee malware has been used by the Conti ransomware gang, and its emergence has coincided with a fall in the number of ransomware attacks that have used BazarLoader to drop Cobalt Strike. Proofpoint said BazarLoader has been missing from its data since February 2022, and all signs point to Bumblebee malware becoming the goto malware loader for threat actors.
Despite the malware having only recently been detected, it is already a sophisticated loader with anti-virtualization checks. It contains unique code that gives it its downloading capabilities and appears to be under active development.
“The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazarLoader demonstrates the flexibility threat actors have to quickly shift TTPs and adopt new malware,” said Proofpoint VP of threat research and detection, Sherrod DeGrippo.