The sophisticated Bumblebee shipper has returned to the threat landscape after a four-month hiatus, with a new email campaign targeting thousands of organizations across the United States.
Bumblebee, an initial login loader used by multiple cyber criminal groups to eliminate various payloads such as infostealers, banking Trojans and post-compromise tools, primarily appeared on the scene in March 2022. Until last October, threat actors relied heavily on it as their malware loader of choice, only to disappear from researchers’ radar.
The Charger has reportedly returned in a campaign observed this month by the Proofpoint Threat Research Team to a blog post published Tuesday. The campaign includes several thousand emails with the subject “February Secretariat”, sent by the sender “info@quarlesaa[.]com” and containing malicious Microsoft OneDrive URLs.
These URLs lead to a Word file with names like “ReleaseEvans#96.docm” that spoofs the consumer electronics company Humane. The researchers found that the attack vector ultimately uses a PowerShell command to download and execute a Bumblebee DLL file as an entryway for further malicious activity.
The return of the loader is a harbinger of things to come, Proofpoint researchers noted, as it “is in line with a surge in cybercriminal threat activity after a notable absence of many threat actors and malware.”
2024 “started with a bang for cyber threat actors, with activity returning to very high levels after a temporary winter lull,” the researchers said. “Proofpoint researchers continue to observe new and creative attack chains, attempts to bypass detections, and updated malware from many threat actors, and clusters of unattributed threats,” adding that they expect this flurry of activity to continue through ‘summer.
Other malicious groups returning to action after a hiatus include groups that researchers track as post-exploitation operator TA582; aviation and aerospace targeting actor TA2541; and email campaigns powered by TA571 that provide the DarkGate malware, among others.
Bumblebee Malware’s new and noteworthy flight path
There are a couple of key aspects of the campaign that set it apart from previous attacks using Bumblebee. For example, the campaign uses VBA macro-enabled documents, a tactic rarely used today by threat actors from Microsoft it started blocking macros by default in 2022 to thwart malicious activity, the researchers said.
In the most recent campaign, the Word document used macros to create a script in the Windows temporary directory, which the macro then executed using the “wscript” utility. Inside the released temporary file was a PowerShell command that downloaded and executed the next step from a remote server, stored in a file called “update_ver.” The next step was another PowerShell command, which in turn downloaded and executed the Bumblebee DLL.
Interestingly, the researchers noted, the attack chains used in Bumblebee campaigns before the hiatus were significantly different. Previous campaigns sent emails containing URLs that led to the download of a DLL that, when executed, launched Bumblebee; or the emails contained exploitative HTML attachments HTML smuggling to drop a RAR file that, if executed, exploited the file WinRAR defect CVE-2023-38831 to install Bumblebee.
Other previous Bumblebee campaigns leveraged emails with compressed, password-protected VBS attachments that, when executed, used PowerShell to download and run the loader, or emails that contained compressed LNK files to download an executable file that launched Bumblebee.
“Of the nearly 230 Bumblebee campaigns identified since March 2022, only five used macro-laden content; four campaigns used XL4 macros, and one used VBA macros,” according to the researchers.
Defenders beware
While Proofpoint did not attribute the recent Bumblebee campaign to any monitored threat actor, although the use of OneDrive URLs and return address appears in line with previous TA579 activity. However, the company has included a list of indicators of compromise (IoC) to aid in threat hunting.
The researchers also urged organizations to be on alert for the characteristics of the malicious email campaigns mentioned above and said they assessed with “high confidence” that Bumblebee is used “as an initial login facilitator to deliver subsequent payloads such as the ransomware.”
Organizations can also adopt basic security best practices to avoid compromises with malicious email campaigns, such as conducting employee training to help people identify phishing and other targeted scams and implementing email security scanning software. email that flags suspicious messages before they reach employee inboxes.