Bumblebee is at the forefront of cybercrime once again

#Bumblebee malware is back after a four – month hiatus , targeting thousands of organizations in the United States in #phishingcampaigns .

Bumblebee is a #malwareloader that was discovered in April 2022 and is believed to have been developed by #cybercrime syndicate Conti and Trickbot   as an alternative to the BazarLoader backdoor . 

The return of #Bumblebee since October is also important as it may lead to a broader increase in #cybercrime activities as we head into 2024 . It is spread via voicemail notifications and was sent to thousands of organizations in the United States from the address info@quarlessa[.]com. It contains a OneDrive URL that downloads a Word document named “ReleaseEvans#96.docm” or something similar, with a lure pretending to be from the consumer electronics company hu.ma.ne. The malicious document also uses macros to create a text file in the Windows temporary folder and then Executes the dropped file using “wscript”.

This temporary file contains a PowerShell command that fetches and executes the next hop from a remote server, which eventually downloads the Bumblebee DLL file (w_ver.dll) and runs it on the victim’s system .

Previous #Bumblebee campaigns have used methods such as direct DLL downloads, HTML smuggling , and exploitation of #vulnerabilities such as CVE-2023-38831 to deliver the final payload. The current attack chain therefore represents a significant departure from more recent techniques .

Before #Bumblebee appeared , the last notable development in #malware was in September 2023, when this malware used a new distribution technique based on misuse of WebDAV services at 4shared to evade blocklists .    

Bumblebee # is typically rented to cybercriminals who want to bypass the initial access phase and insert their payloads into systems that have already been compromised .