Cybercriminals who previously used BazaLoader and IcedID in malware operations are alleged to have switched to a new loader named Bumblebee, which is still under development. “Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware,” said the enterprise security firm Proofpoint.
Campaigns to distribute the new extremely complex loader are reported to have started in March 2022, and sharing coincides with malicious activities leading to Diavol and Conti ransomware deployment, increasing the prospect that the loader may be used as a prelude to ransomware attacks. “Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,” the researchers said.
Bumblebee is developed in C++ and is designed to operate as a downloader for collecting and running next-stage payloads such as Cobalt Strike, Sliver, Meterpreter, and shellcode, in addition to anti-virtualization checks. Intriguingly, the malware loader’s increased detection in the threat landscape has coincided with a decrease in BazaLoader deployments since February 2022, another prominent loader designed by the now-defunct TrickBot gang, which has since been integrated into Conti and used for distributing file-encrypting malware.
Bumblebee has been distributed using DocuSign-branded email phishing lures, including fake links or HTML attachments that direct potential victims to a compressed ISO file stored on Microsoft OneDrive. Furthermore, the embedded URL in the HTML attachment uses a traffic direction system (TDS) called Prometheus — which can be purchased for $250 per month on underground marketplaces — to redirect URLs to the archive files as per the victims’ time zone and cookies.
The ZIP packages contain .LNK and .DAT files, with the Windows shortcut file launching the latter, which includes the Bumblebee downloader, before delivering BazaLoader and IcedID malware. A thread-hijacking approach was employed in a second campaign in April 2022, in which legitimate invoice-themed emails were hijacked to distribute compressed ISO packages, which were then used to run a DLL file to activate the loader.
Also seen is the usage of the target’s website’s contact form to send a message alleging picture copyright breaches and directing the victim to a Google Cloud Storage link that downloads a compressed ISO file, thereby completing the infection chain as mentioned earlier.
The switch from BazarLoader to Bumblebee indicates that these threat actors — most likely initial access brokers who invade targets and then sell that access to others — are getting malware from a common origin, as well as a departure after the Conti group’s attack toolkit was made public at about the same time.
Conti has also taken over the famed TrickBot botnet and shut it down to focus on developing BazarLoader and Anchor malware. It’s unclear if Bumblebee is the work of TrickBot actors or whether the gang has abandoned BazaLoader in favor of a whole new malware as a result of the revelations.
In an independent investigation, Cybereason malware researcher Eli Salem found parallels between Bumblebee and TrickBot, such as the latter’s web-inject module and usage of the same evasion strategy, implying that the players behind Bumblebee had accessibility to TrickBot’s source code.
According to Sherrod DeGrippo, vice president of Proofpoint’s threat research and detection, the Bumblebee loader’s appearance in the crimeware threat environment, and its apparent replacement for BazaLoader, highlights the threat actors’ ability to swiftly swap TTPs and embrace new malware. He also said that the malware is highly complex, and it appears to be in active development, with new techniques of evading detection being introduced regularly.
