The latest to join the list of unique malware loaders is a loader called Bumblebee. It is ostensibly a new offering from the development house of the Conti malware syndicate and a replacement for the BazarLoader backdoor which seems to have outlived its utility. The rising preference for Bumblebee stands in sharp contrast to the dipping fortunes of BazarLoader which is no longer the preferred loader for sophisticated ransomware deployment operations.
In the last few weeks, Bumblebee has been pushed widely by at least 4 groups through multi-phase campaigns involving passing ISO files, Zip, and other archive attachments with malicious. DLL files and execution shortcuts. Some of which are hosted using known public cloud service providers.
Some of the phishing campaigns intercepted by Sectrio contain some highly convincing content including LinkedIn invites and a site where you can sign up to support Ukraine. While many of the campaigns started in the week Russia invaded Ukraine, as of now there is little to no evidence to suggest that the two events were linked. Though it is possible that the Conti group could be using Bumblebee to create a new wave of confusion and distraction while it works on new and more potent malware. The shrinking development cycle for new malware loaders is another cause for concern.
Here are some of the features of Bumblebee
- It stops running in virtual and sandbox environments and is known to detect VMs
- Post a virtualization check, it starts downloading multiple payloads including Cobaltstrike, Metapreter, shellcode, and various ransomware
- Bumblebee collects a range of system information, including the specific hostname and UUID before it syncs up with its C&C server to receive its next set of commands
- Bumblebee could also be used as an initial access facilitator for other groups to exploit for a monetary consideration
- It is still in early stages of development but yet demonstrates advanced features
- Malware gangs are using multiple Command and Control servers to control the loader
- Ransom seems to be the primary motive but one instance of data exfiltration has also been reported
- In a report published in March this year, Google called out the use of the Bumblebee custom downloader in some of the cyber attacks associated with Exotic Lily, a known access broker for all types of ransomware. The mere involvement of this group that is quite innovative, motivated, and closely linked with data exfiltration, ransom campaigns, and negotiation and deployment of manually deployed ransomware such as Conti and Diavol is a cause for alarm
- It is highly stealthy and can remain undetected without any signs for a long period of time
- It can evade detection and analysis as no specific signs are visible across infected machines
- Watch out for a particular email that talks about the Russia-Ukraine war and the need to fund Ukrainian fighters across key conflict zones
- Uses Asynchronous Procedure Calls (APC) to execute commands received from its command and control server
The Conti group is working with at least one APT group to gain access to a wider set of network assets to target. The switch from Bazarloader to Bumblebee was sudden and abrupt. Two threat actors that were actively pumping Bazarloader suddenly switched over to Bumblebee. Such a rapid switch indicates high level of confidence in the loader as also a need to move away rapidly from old loaders that could no longer be as potent or useful as enterprises could have started deploying countermeasures.
With rising threats in cyberspace, you need to ensure that you stay in the game by evading hackers and bad actors. Talk to Sectrio’s IoT and OT cybersecurity experts today to learn about the latest in threat detection and neutralization and you also get to try out our IoT and OT focused threat intelligence feeds for free.
Don’t wait up, reach out to Sectrio now.
Explore our malware reports here: Malware Reports
Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.