"New Bumblebee Malware Loader Increasingly Adopted by Cyber Threat Groups"
Bumblebee, a recently discovered malware loader, has been linked to several prominent ransomware groups as a key component of numerous cyberattacks. According to the Symantec Threat Hunter Team, the tool has links to threat groups such as Conti, Quantum, and Mountlocker. Findings indicate that the Bumblebee loader may have been used as a replacement for Trickbot and BazarLoader because of the overlap in recent activity involving Bumblebee and older attacks linked to these loaders. This implies that it was created by well-known actors, and the change to Bumblebee was pre-planned. One attack singled out by the team stemming from Quantum ransomware detailed how the Bumblebee loader is put into practice. The infection began with the use of a spear-phishing email with an ISO file attached. The malicious file in question contained a Bumblebee DLL file and an LNK file, which was then loaded by rundll32.exe. The Bumblebee loader then contacted a command-and-control (C2) server and created a duplicate file with a randomized name within the APPData folder. In addition, a Virtual Basic Script (VBS) file was created in the same location. The loader then established a scheduled task to run the VBS file every 15 minutes. After a few hours, the loader dropped a Cobalt Strike payload. This action resulted in two additional outcomes: the injection of a Metasploit DLL into a legitimate Windows process and the use of an AdFind tool to collect system information such as domain users and group permissions for the system. After this task was completed, Bumblebee unloaded the Quantum ransomware, allowing the ransomware group to encrypt files on the targeted system. Quantum was then able to scrape the system for user information using Windows Management Instrumentation (WMI) once inside. The ransomware payload also disabled any malware detection processes. This article continues to discuss findings surrounding the new Bumblebee malware loader and Bumblebee's connection to previous attacks.
TechRepublic reports "New Bumblebee Malware Loader Increasingly Adopted by Cyber Threat Groups"