Cyber threat researchers at Symantec have published their findings regarding Bumblebee. The recently developed malware loader has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced several older loaders used by high profile threat actors.
The Bumblebee malware loader has been seen in a number of ransomware operations including Conti, Quantum, and Mountlocker. The tactics, techniques, and procedures (TTPs) used in these older attacks support the hypothesis that Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader, since there is some overlap between recent activity involving Bumblebee and older attacks linked to these loaders.
In the Bumblebee attacks observed, the initial infection vector was a spear-phishing email with an attachment containing an ISO file. This ISO file contained a Bumblebee DLL file and an LNK file, which loaded the Bumblebee DLL file using rundll32.exe. The Bumblebee file then communicates with a malicious Command and Control server to run further malicious operations on the device such as disabling processes related to malware analysis.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.