Bumblebee, Proofpoint discovers new ongoing malware campaigns
In March 2022, the cybersecurity company announced, point of proof observed campaigns that deploy a new downloader malware appointed Bumblebee.
According to Proofpoint, at least three enterprise clusters with known threat actors are currently deploying Bumblebee.
The campaigns identified by Proofpoint have commonalities with the activity described in the Threat Analysis Group blog Googlewhich leads to the Ransomware Conti and Diavol.
Bumblebee - explains Proofpoint - is a sophisticated downloader that contains anti-virtualization and a unique implementation of common download capabilities, despite being so early in malware development.
Bumblebee's goal - according to cybersecurity experts - is to download and run additional payloads. The malware's name derives from the unique "bumblebee" user agent used in early campaigns.
The rise of Bumblebee in the threat landscape - cybersecurity researchers also point out - coincides with the fact that the widespread payload BazaLoader recently disappeared from Proofpoint threat data.
The Proofpoint researchers noted that Bumblebee is distributed in email campaigns for at least three menacing actors stalked.
Threat actors have used several techniques to deploy Bumblebee.
While baits, delivery techniques, and filenames are typically customized for the different threat actors deploying campaigns, Proofpoint noted several commonalities between campaigns, such as the use of ISO files containing shortcuts and DLL files, and a common DLL entry point used by multiple players in the same week.
The use of Bumblebee by multiple threat actors, the timing of its introduction into the landscape, and behaviors, according to Proofpoint, can be seen as a noticeable shift in the cybercriminal threat landscape.
Additionally, Proofpoint views with moderate confidence that actors using Bumblebee can be considered initial access facilitators, i.e. groups of independent cybercriminals who they infiltrate important targets and then sell access to subsequent ransomware actors.
At least three threat actors who typically distribute BazaLoader malware have transitioned to Bumblebee payloads, with BazaLoader last appearing in Proofpoint data in February 2022.
BazaLoader's apparent disappearance from the cybercrime threat landscape - highlights Proofpoint - coincides with when Account Leaks, when, in late February 2022, a Ukrainian researcher with access to Conti's internal operations began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader has been identified in the leaked files.
Proofpoint rates with a high security probability – based on malware artifacts – that all tracked threat actors using Bumblebee receive it from the same source.
Proofpoint published details of the Bumblebee cyberthreat on its blog.
Read all our cybersecurity articles