Emerging Malware Loader: The Sting of Bumblebee

A new malware loader known as Bumblebee has been observed in the threat landscape as a likely successor to BazaLoader and IceID.

Written in C++, Bumblebee, which functions as a downloader setting up retrieval / execution of later-stage malicious payloads, has been observed in the threat landscape during March of 2022 and is said to introduce sophisticated innovation, not least evasion techniques and anti-virtualization checks.

“Interestingly, the increased detection of the malware loader in the threat landscape corresponds to a drop in BazaLoader deployments since February 2022, another popular loader used for delivering file-encrypting malware and developed by the now-defunct TrickBot gang, which has since been absorbed into Conti,” stated a report in The Hacker News, Cybercriminals Using New Malware Loader

Bumblebee has been recently associated with at least three separate cyberattacks, notably phishing lures involving DocuSign-branded email. According to National Cybersecurity News Today: “Attack chains distributing Bumblebee have taken the form of DocuSign-branded email phishing lures incorporating fraudulent links or HTML attachments, leading potential victims to a compressed ISO file hosted on Microsoft OneDrive.”

“As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint. "Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization," researchers explain. According to DarkReading.com:"Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)."”

According to National Cyber News Today (NCNT), Bumblebee strategies can be tied back to cyber gangs the likes of Conti and Diavol which have in the past used the BazaLoader and IceID loaders, pointing out that “...the swift disappearance of BazarLoader in recent weeks,…" coincides with the emergence of Bumblebee.

“Bumblebee, like BazarLoader, likely is used to gain initial access to vulnerable systems and networks. The bad actors then sell that access to other cybercriminals who deliver their malicious payloads into the compromised environments.” reported National Cyber News Today.

Dark Reading.com offers good detail of how Bumblebee goes about its business: “As an initial-access tool – backdoor malware that infects a target before loading follow-on binaries – Bumblebee specializes in stealth, according to research from Proofpoint. "Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization," researchers explain in a report issued on Thursday. "Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2)."

Recommended protections include maintaining basic security hygiene, prompt patching, use of MFA, and raising employee awareness of threats posed by phishing and social engineering.