Threat actors linked to BazarLoader, TrickBot, and IcedID are increasingly using the malware loader known as Bumblebee in their operations to break into target networks for something like post-exploitation activities.
“Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration,” Cybereason researchers Alon Laufer and Meroujan Antonyan stated in a technical write-up.
Bumblebee initially came to light in March 2022 when Google’s Threat Analysis Group (TAG) exposed the actions of an initial access broker named Exotic Lily with connections to the TrickBot and the more prominent Conti collectives. The modus operandi has now been modified to forego macro-laced documents in favor of ISO and LNK files, particularly in reaction to Microsoft’s decision to ban macros by default. Initial access is often obtained through spear-phishing efforts.
According to the researchers, the malware is spread by phishing emails that contain an attachment or a link to a malicious package containing Bumblebee. An ISO image file must be mounted, a Windows shortcut (LNK) file clicked, and the archive must be extracted before the end user may begin the initial execution. The Bumblebee loader is launched using the command found in the LNK file, which serves as a conduit for further steps, including persistence, privilege escalation, surveillance, and credential theft.
After attaining elevated access to infected endpoints, the threat actor also uses the Cobalt Strike adversary simulation framework to move laterally throughout the network. Persistence is achieved by installing AnyDesk remote desktop software. In the event that Cybereason examined, it was possible to take over Active Directory and set up a local user account for data exfiltration using the highly privileged user’s credentials that had been stolen.
“The time it took between initial access and Active Directory compromise was less than two days,” said the cybersecurity firm. “Attacks involving Bumblebee must be treated as critical, […] and this loader is known for ransomware delivery.”