Starting in March, three threat groups were observed delivering a new, sophisticated malware loader that researchers said could represent “a notable shift in the cybercriminal threat landscape.”
The loader, which researchers with Proofpoint call Bumblebee (so-called due to the name of a unique User-Agent used in early campaigns), is in active development and includes several complex detection evasion techniques. The aim of the loader is to download and execute additional payloads, and researchers observed Bumblebee dropping Cobalt Strike, shellcode and Sliver in several different campaigns.
“Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development,” said researchers with Proofpoint in a Thursday analysis. “The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape."
Of note, the three threat actors leveraging the loader had previously delivered the BazaLoader and IcedID malware. These groups include TA578, a threat actor that has been launching email-based campaigns since at least May 2020 delivering Ursnif, IcedID and BazaLoader; and TA579, which has delivered BazaLoader and IcedID since at least August 2021. Researchers also believe “with moderate confidence” that these actors leveraging Bumblebee may be initial access facilitators that compromise targets and then sell that access to follow-on threat actors.
“The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape."
The attacks deploying Bumblebee included email campaigns that typically leveraged malicious ISO files or thread hijacking. One campaign, for instance, involved a DocuSign-branded email campaign that prompted targets to download a malicious ISO file hosted on OneDrive (either through a hyperlink in the email or via an HTML attachment that then redirected targets), which ultimately led to the execution of the downloader. In another campaign, researchers observed threat actors delivering emails generated by submitting a message to a “Contact Us” form on the victim’s website. The emails purported that the target was using stolen images on the website and contained a link to a landing page claiming to be a “complaint,” which actually executed the downloader.
The downloader, written in C++, starts by gathering system information (including the hostname and UUID) and establishes communication with the command-and-control (C2) server to receive commands. These commands include shellcode and DLL injection, executable download, and the ability to uninstall loaders and enable persistence on the bot.
Bumblebee is also clearly under active development: The loader has morphed within the past month to include new features, such as anti-VM and anti-sandbox checks. Last week, developers added an encryption layer to the network communications, and this week they added a new thread to Bumblebee that checks current running processes against a list of common tools used by malware analysts.
Researchers believe that Bumblebee is an apparent replacement to the BazaLoader malware, which is a popular payload that was first identified in 2020 that facilitates follow-on compromises including ransomware like Conti. Proofpoint researchers said that BazaLoader disappeared from threat data since February. Sherrod DeGrippo, vice president of threat research and detection with Proofpoint, said that one can only speculate, but one reason behind this disappearance could be the fact that detections for BazaLoader have improved over time.
"Actors might switch to something new simply because for a period there were no signatures, no detection mechanisms, and no blogs detailing the activity," said DeGrippo. "When everyone knows what a specific malware is and how it functions it becomes a daily grind for the actors to try and defeat the researchers."