A number of U.S.-based organizations were targeted with emails last week that attempted to spread the well-known Bumblebee malware. The campaign uses a slightly modified attack chain for Bumblebee and marks the return of the malware after a four-month absence from the threat landscape.
Bumblebee is a sophisticated downloader first spotted in March 2022, which was used by several threat groups to download and execute shellcode and the Cobalt Strike and Sliver tools. The malware was in active development when it was first discovered and included several complex detection evasion tactics, but it abruptly disappeared from Proofpoint researchers’ threat data starting in October 2023.
Now, with this latest campaign that included over 2,000 emails, researchers said the malware’s sudden return to the threat landscape is indicative of a more widespread surge of cybercriminal threat activity from several threat actors.
“2024 has started off with a bang for cybercriminal threat actors, with activity returning to very high levels after a temporary winter lull,” said researchers with the Proofpoint threat research team on Tuesday. “Proofpoint researchers continue to observe new, creative attack chains, attempts to bypass detections, and updated malware from many threat actors and unattributed threat clusters.”
Organizations in the U.S. received emails purporting to tell them that they missed a voice call and asking them to click on a link to listen to the voice message. The messages contained the subject "Voicemail February" and were from the sender "info@quarlesaa[.]com.” The OneDrive URL led to a malicious Word document that pretended to be a message from a consumer electronics company called Humane. Once clicked, the document used macros to execute a file with a PowerShell command, which eventually led to the download of the Bumblebee DLL.
The attack chain’s use of VBA macro-enabled documents is notable and a bit peculiar as many threat actors have stopped using macros, said researchers. After Microsoft began blocking macros by default in 2022, threat actors - including those leveraging Bumblebee - started to diversify their own methods to spread malware without relying on macros, including using XLL files, ISO images, Microsoft shortcut files and MSI files.
“Out of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros,” said researchers.
Researchers said that the Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads, like ransomware. Due to the use of email here an an initial access vector, researchers said that organizations should continue to focus their efforts on preventing email-based attacks, including training end users to recognize potentially suspicious activity.
"In this case, the actor also used macro-enabled documents, and users should never enable macros, or unblock them, from untrusted or unknown sources," said Selena Larson, senior threat intelligence analyst with Proofpoint.