Bumblebee is the name of a new malware downloader used by multiple threat actors that previously delivered BazaLoader and IcedID. In other words, these threat actors have replaced the two malware pieces with the newer Bumblebee. BazaLoader, in particular, hasn’t been observed in active campaigns since February 2022, Proofpoint researchers said.
What Is the Bumblebee Malware Downloader?
Тhe very first thing to note is that Bumblebee malware is still in a development phase.
It is a downloader coded in C++. In terms of its technical specifications, the initial Bumblebee DLL sample analyzed by the researchers contains two exports, one of which directly starting the thread for the Bumblebee main function. The other one is designed to lead to the same main function, but it also adds checks to see if hooks have been placed within key dynamic link libraries (DLLs).
Most of Bumblebee is condensed into a single function, which makes it different than most malware where initialization, request sending, and response handling are broken out into different functions.
Next, “the loader starts with copying over the group ID which is effectively used as botnet identifier. Unlike most other malware, Bumblebee currently has its configuration stored in plaintext, but Proofpoint suspects that obfuscation may be added in the future. With the group ID copied, the loader resolves addresses for various NTDLL functions that allow it to properly perform injection later in the loading process,” the researchers explained.
Bumblebee Malware Distribution
The spreading of Bumblebee coincides with the disappearance of BazaLoader. BazaLoader was widely distributed last year via a malicious campaign that used fraudulent call centers to trick users into downloading the malware onto their machines. The BazaCall campaign turned out to be more dangerous than initially suspected. The reason for the higher threat level is that, apart from having backdoor capabilities, BazaLoader could grant remote attackers with “hands-on-keyboard control on an affected user’s device,” enabling them to perform full network compromise.
Now, Bumblebee downloader is here to replace BazaLoader. The threat actors behind these new campaigns are associated with malicious payloads linked to consequent ransomware infections.
In terms of distribution, ProofPoint said that the malware is using malspam campaigns initiated by at least three tracked threat actors using multiple delivery techniques. “While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week,” the report noted.
The fact that the Bumblebee malware is used by multiple cybercriminals and the timing of its production show that the threat landscape is changing notably. Due to the specifics of the malware campaigns, the researchers also believe that the threat actors behind the operations are initial access brokers. Initial network access is what gets malicious hackers inside an organization’s network. Threat actors who are selling it create a bridge between opportunistic campaigns and targeted attackers. In most cases, these are ransomware operators.
In conclusion, the analysis conducted by Proofpoint, and the fact that the malware is still in development, highlights the likelihood that Bumblebee will continue to be used by various threat actors in multiple campaigns.