A new malware threat is in the wild exhibiting evasive properties to escape detection. Identified as “Bumblebee” malware loader, the new threat emerges as a replacement to the known IcedID and BazaLoader malware loaders.
Bumblebee Malware Loader Surfaces Online
Researchers from Proofpoint have found the new “Bumblebee” malware loader as a replacement for the BazaLoader and IcedID malware loaders.
According to the researchers, the malware currently appears in its development phase. Yet, it still exhibits notable malicious functionalities that make it a dangerous malware loader.
Bumblebee has been around in the wild; the researchers caught “at least three clusters of activity” delivering this malware loader. The researchers also noticed numerous threat actors adopting Bumblebee instead of BazaLoader in their campaigns.
Analyzing the malware revealed that Bumblebee is a C++ malware loader. While it currently has its configuration stored in plaintext, it may possibly include obfuscation in the future. Upon infecting the target device and establishing itself, Bumblebee then collects system information, hashes it, and generates a unique bot ID.
After this step, the malware starts communicating with its C&C for further commands. Nonetheless, its next step doesn’t begin immediately. Instead, it takes some time to deploy the next malware as the attackers deploy it manually instead of automation.
The researchers have shared a detailed technical analysis of the malware in their blog post.
Malware Active In The Wild
Regarding the attack strategy, the threat actors behind this malware deploy it on target devices via phishing campaigns. According to Proofpoint, one such campaign executed in March 2022 exploited DocuSign emails.
In March 2022, Proofpoint observed a DocuSign-branded email campaign with two alternate paths designed to lead the recipient to the download of a malicious ISO file.
The phishing emails would deploy the malware when the user would click on the “Review the document” embedded hyperlink. Otherwise, some other emails would bear an HTML attachment, opening which would download the malware. This malicious campaign traced back to the TA579 cybercriminals group.
Likewise, in April 2022, Proofpoint observed another email phishing campaign exploiting the “thread-hijacking” technique to lure victims.
Similarly, in another campaign, the attackers targeted websites by sending emails generated via the site’s contact forms. Those emails included content regarding the existence of “stolen images” on the site. Indeed, this strategy would urge any site owner to open the emails and fall victim to the underlying malware infection.
Since Bumblebee is a potent loader triggering dangerous malware or ransomware attacks, users must remain careful when dealing with email messages. Also, having a robust anti-malware actively running on the systems is imperative to fend off such attacks.