"New Bumblebee Malware Loader in Active Development"

Three threat groups have been observed delivering a new sophisticated malware loader dubbed Bumblebee. According to researchers with Proofpoint, the loader, written in C++, is in active development and applies complex detection evasion techniques. The loader aims to download and execute additional payloads. It has been observed dropping Cobalt Strike, shellcode, and Sliver in several different campaigns. An analysis conducted by the researchers reveals that Bumblebee contains anti-virtualization checks and a unique implementation of common downloader capabilities even though it is early in development. The threat actors seen using the loader had previously delivered the BazaLoader and IcedID malware. One of the groups is TA578, which has been executing email-based campaigns since at least May 2020 to deliver Ursnif, IcedID, and BazaLoader. TA579 is another one of the threat actors that has delivered BazaLoader and IcedID since at least August 2021. The actors leveraging Bumblebee could be initial access facilitators that compromise targets and then sell that access to follow-on threat actors. Attacks in which Bumblebee was deployed include email campaigns involving malicious ISO files or thread hijacking. For example, one campaign involved DocuSign-branded emails attempting to trick targets into downloading a malicious ISO file hosted on OneDrive through a hyperlink in the email or an HTML attachment that then redirected targets, which led to the execution of the downloader. The downloader collects system information, including the hostname and UUID, and then establishes communication with the command-and-control (C2) server to receive commands. This article continues to discuss key observations surrounding the Bumblebee malware loader. 

Decipher reports "New Bumblebee Malware Loader in Active Development"