Notorious Bumblebee Malware Re-emerges with New Attack Methods

Written by

Bumblebee malware has re-emerged following a four-month absence from the cyber threat landscape, according to Proofpoint research.

The new campaign, observed in February 2024, used a “significantly different” attack chain compared to previous Bumblebee infiltrations.

The return of Bumblebee coincides with the reappearance of several notorious threat actors at the start of 2024 following a temporary “Winter lull,” the researchers added.

Bumblebee was frequently observed being used by multiple threat actors from March 2022 through to October 2023. In total, Proofpoint identified 230 Bumblebee campaigns during this period.

The sophisticated downloader is primarily used as an initial access broker, to download and execute additional payloads, such as Cobalt Strike, shellcode, Sliver and Meterpreter.

A range of creative methods have been used to distribute Bumblebee. For example, Secureworks reported in April 2023 that popular software tools such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace had been trojanized to infect victims.

What Does the Bumblebee Campaign Look Like?

Proofpoint said Bumblebee “disappeared” from its radar in October 2023, before observing a new campaign designed to distribute the malware in February 2024.

The attackers utilized social engineering techniques to entice targets into downloading Bumblebee. In the campaign, several thousand emails were sent from the address “info@quarlesaa[.]com to organizations in the US with the subject “Voicemail February.”

These emails contained OneDrive URLs, leading to a Word file with names such as “ReleaseEvans#96.docm.”

Screenshot of the voicemail-themed email lure. Source: Proofpoint
Screenshot of the voicemail-themed email lure. Source: Proofpoint

This Word document spoofed consumer electronics firm Humane.

The documents used macros to create a script in the Windows temporary directory, with the dropped file executed using “wscript.”

Inside the dropped temporary file was a PowerShell command, which downloaded and executed the next stage of the attack chain from a remote server.

This next stage was another PowerShell command stored in file “update_ver,” which downloaded and ran the Bumblebee DLL.

The researchers highlighted a range of unique characteristics associated with this new Bumblebee campaign. This included the use of VBA macro-enabled documents in the attack chain. Proofpoint noted that most cybercriminal threat actors have nearly stopped using VBA documents.

Previous Bumblebee campaigns used approaches like combining URLs and attachments and exploiting vulnerabilities.

Threat Actors Resume Campaigns Following Winter Break

Proofpoint has not been able to attribute the new campaign to a tracked threat actor. However, the researchers noted that some of the techniques used, such as the voicemail lure theme and use of OneDrive URLs, align with previous activities of the TA579 group.

The blog post noted that several tracked threat actors have resumed activities after an absence at the end of 2023. This includes TA577 returning to deliver the Qbot malware at the end of January after a month-long absence from mid-December.

Proofpoint said it expects this “high operational tempo” to continue until anticipated summer breaks.

“2024 has started off with a bang for cybercriminal threat actors, with activity returning to very high levels after a temporary winter lull. Proofpoint researchers continue to observe new, creative attack chains, attempts to bypass detections, and updated malware from many threat actors and unattributed threat clusters,” the researchers wrote.

What’s hot on Infosecurity Magazine?