The Bumblebee malware, first identified in April 2022, is back after a four-month pause. The malware, believed to have been created by the Conti and Trickbot cybercrime syndicate, has begun phishing campaigns against thousands of U.S. organizations. Bumblebee is typically used to distribute additional payloads, such as Cobalt Strike beacons, on infected devices for initial network access and to carry out ransomware attacks.
Cybersecurity firm Proofpoint has observed a significant resurgence of Bumblebee since October, predicting a potential upswing in cybercrime activities heading into 2024. The latest phishing campaign distributing Bumblebee is disguised as voicemail notifications, with the subject 'Voicemail February'. These phishing emails, originating from the address 'info@quarlessa[.]com', were sent to thousands of U.S. organizations. The emails contain a OneDrive URL that downloads a Word document named 'ReleaseEvans#96.docm' or similar, purporting to be from consumer electronics company hu.ma.ne, known for its AI-powered pin.
The malicious document utilizes macros to create a script file in the Windows temp folder, which is then executed using 'wscript'. This temporary file contains a PowerShell command that fetches and executes the next stage from a remote server, eventually downloading and running the Bumblebee DLL (w_ver.dll) on the victim's system. Proofpoint points out the notable and unusual use of VBA macros in documents, especially after Microsoft's decision to block macros by default in 2022, making it harder for the campaign to achieve much success.
Prior to this, Bumblebee campaigns used different methods like direct DLL downloads, HTML smuggling, and exploitation of vulnerabilities such as CVE-2023-38831 to deliver the final payload. The current attack chain represents a significant departure from these modern techniques. The reasons for this could be evasion, as malicious VBAs are now less common, or niche targeting aimed at severely outdated systems. Bumblebee might also be testing and diversifying its distribution methods.
Before Bumblebee's hiatus, the last significant development in the malware was in September 2023, when it employed a new distribution technique leveraging the abuse of 4shared WebDAV services to evade blocklists. Bumblebee is often rented to cybercriminals who want to bypass the initial access stage and introduce their payloads into already-breach systems. While there's not enough evidence to attribute the recent campaign to any specific threat groups, Proofpoint notes the campaign bears the hallmarks of the threat actors they track as TA579. Other threat actors recently showing increased activity include TA576, TA866, TA582, and TA2541.
The disruption of QBot (Qakbot) by law enforcement authorities has created a gap in the payload distribution market, which other malware are attempting to fill. Notable instances include DarkGate and Pikabot, two highly capable malware loaders that now drive infections via multiple channels, including phishing, malvertising, and messages on Skype and Microsoft Teams. Zscaler recently published a report on Pikabot, noting that the malware has reemerged with a new, simplified version this month, following a brief hiatus after Christmas last year. The new Pikabot version has stripped the advanced code obfuscation techniques used previously and uses a less versatile configuration system, indicating it could be an early release of a revamped variant.