Bumblebee – Malware Distributed Through Email Lures and File Sharing
Source: Unit 42 by Palo Alto Networks
Cybersecurity Analysts at Palo Alto have recently shared information regarding the malware “Bumblebee” – a new malware family that has been observed being used by threat actors. Starting in March 2022, threat actors like Projector Libra–who had been distributing BazarLoader–switched to pushing a new malware family called Bumblebee. Security researchers dubbed this malware 'Bumblebee' because it uses “bumblebee” in the user-agent string generated during post-infection HTTPS traffic.
Like most phishing attacks, the infection begins by contacting an end user via email. If a potential victim responds to the initial email, Projector Libra sends a reply stating a separate email has been sent through a file sharing service to provide a file relevant to the discussion. The victim then receives an email generated by the file sharing service. These emails contain a link hosting malware disguised as a file discussed in the previous Projector Libra message.
In the malware sample examined by researchers, the threat actors used a legitimate service "TransferXL". TransferXL is a file-sharing service with a free tier. It is one of many file sharing services with a free pricing category that are frequently abused by criminal groups. These TransferXL URLs expire after one week, which helps conceal the malware from security researchers.
If this file is downloaded and executed, it will begin to contact a Command and Control (C2) server to download additional malicious files and execute commands. Malware distribution patterns reveal Bumblebee continues where BazarLoader left off, which includes pushing follow-up malware like Cobalt Strike that can eventually lead to a ransomware infection.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.