The malware loader referred to as Bumblebee is being more and more co-opted by risk actors related to BazarLoader, TrickBot, and IcedID of their campaigns to breach goal networks for post-exploitation actions.
“Bumblebee operators conduct intensive reconnaissance actions and redirect the output of executed instructions to recordsdata for exfiltration,” Cybereason researchers Meroujan Antonyan and Alon Laufer mentioned in a technical write-up.
Bumblebee first got here to mild in March 2022 when Google’s Menace Evaluation Group (TAG) unmasked the actions of an preliminary entry dealer dubbed Unique Lily with ties to the TrickBot and the bigger Conti collectives.
Usually delivered through preliminary entry acquired via spear-phishing campaigns, the modus operandi has since been tweaked by eschewing macro-laced paperwork in favor of ISO and LNK recordsdata, primarily in response to Microsoft’s resolution to block macros by default.
“Distribution of the malware is finished by phishing emails with an attachment or a hyperlink to a malicious archive containing Bumblebee,” the researchers mentioned. “The preliminary execution depends on the end-user execution which has to extract the archive, mount an ISO picture file, and click on a Home windows shortcut (LNK) file.”
The LNK file, for its half, comprises the command to launch the Bumblebee loader, which is then used as a conduit for next-stage actions comparable to persistence, privilege escalation, reconnaissance, and credential theft.
Additionally employed in the course of the assault is the Cobalt Strike adversary simulation framework upon gaining elevated privileges on contaminated endpoints, enabling the risk actor to laterally transfer throughout the community. Persistence is achieved by deploying AnyDesk distant desktop software program.
Within the incident analyzed by Cybereason, the stolen credentials of a extremely privileged person had been subsequently utilized to grab management of the Energetic Listing, to not point out create an area person account for knowledge exfiltration.
“The time it took between preliminary entry and Energetic Listing compromise was lower than two days,” the cybersecurity agency mentioned. “Assaults involving Bumblebee have to be handled as essential, […] and this loader is understood for ransomware supply.”