Proofpoint has identified a new malware loader known as Bumblebee. At least three different threat clusters tied to ransomware operations employ the loader.
Bumblebee was most likely created by the Conti gang to replace the BazarLoader backdoor (aka BazaLoader). Since February, when Bumblebee first appeared, BazarLoader has been absent from the researchers’ radar. Several cybercriminal outfits that formerly relied on BazarLoader have switched to this new malware loader. To deploy this loader, threat actors employ a variety of methods. Despite the fact that file names, lures, and distribution methods vary, the campaigns have some commonalities, such as the use of ISO files containing shortcut files and DLLs.
The malware is still being developed and employs sophisticated evasion strategies. When Bumblebee gets commands from the C2, it uses asynchronous procedure call injection to start the shellcode. Anti-virtualization checks and a novel execution of common downloader functionalities are also included in the sophisticated downloader. Shellcode, Cobalt Strike, Meterpreter, and Sliver have all been observed.
Bumblebee’s appearance and use by a variety of threat groups suggest a shift in the danger landscape. The researchers concluded that attackers who use the malware loader could be initial access facilitators for ransomware actors with a moderate level of confidence.
At the same time as the Conti files were leaked online, BazarLoader vanished. Infrastructure related to BazarLoader was revealed in the leaked Bumblebee files. The most recent version of the virus, discovered on April 19, has received significant upgrades. It now supports numerous C2 via a comma-delimited list, the sleep interval can now be randomised, and network communications are encrypted.
Bumblebee, a clever malware downloader, is still being actively developed. It has quickly evolved into a multipurpose tool used by many threat groups by replacing BazarLoader. The release of this virus demonstrates threat actors’ enormous capacity to change the threat landscape by embracing new threats.