Bumblebee malware has re-emerged following a four-month absence from the cyber threat landscape, according to Proofpoint research.
The new campaign, observed in February 2024, used a “significantly different” attack chain compared to previous Bumblebee infiltrations.
The return of Bumblebee coincides with the reappearance of several notorious threat actors at the start of 2024 following a temporary “Winter lull,” the researchers added.
Bumblebee was frequently observed being used by multiple threat actors from March 2022 through to October 2023. In total, Proofpoint identified 230 Bumblebee campaigns during this period.
The sophisticated downloader is primarily used as an initial access broker, to download and execute additional payloads, such as Cobalt Strike, shellcode, Sliver and Meterpreter.
A range of creative methods have been used to distribute Bumblebee. For example, Secureworks reported in April 2023 that popular software tools such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace had been trojanized to infect victims.
What Does the Bumblebee Campaign Look Like?
Proofpoint said Bumblebee “disappeared” from its radar in October 2023, before observing a new campaign designed to distribute the malware in February 2024.
The attackers utilized social engineering techniques to entice targets into downloading Bumblebee. In the campaign, several thousand emails were sent from the address “info@quarlesaa[.]com to organizations in the US with the subject “Voicemail February.”
These emails contained OneDrive URLs, leading to a Word file with names such as “ReleaseEvans#96.docm.”
No tags.
