Bumblebee Malware Loader Has a Sting in the Tail

Researchers are warning of a new malware loader already in use in the wild that appears to have supplanted the prolific BazarLoader.

Dubbed “Bumblebee,” the malware is being used by multiple threat groups that previously deployed BazarLoader and IceID, according to Proofpoint. The vendor said it had not seen BazarLoader since February 2022.

“Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware’s development,” Proofpoint said.

“Bumblebee’s objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter. The malware name comes from the unique user agent ‘bumblebee’ used in early campaigns.”

The malware itself has been linked to the Conti ransomware group, although it’s being used primarily by initial access brokers, according to the report.

It’s possible the development of Bumblebee was begun after BazarLoader infrastructure was identified in the vast trove of internal information on the Conti group leaked by a researcher earlier this year.

Proofpoint said it had observed several email campaigns run by at least three threat actors using customized lures to trick users into downloading Bumblebee. One of these used DocuSign-branded phishing emails and was traced back to TA579, which had previously used BazarLoader and IceID.

Researchers said there are also several similarities between the loader and the infamous TrickBot malware in terms of its code, how it is delivered, its payloads and evasion techniques.

As BazarLoader was used in Conti attacks in the past, Bumblebee is likely to become a popular tool for ransomware groups.

“The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazarLoader demonstrates the flexibility threat actors have to quickly shift TTPs and adopt new malware,” warned Proofpoint VP of threat research and detection, Sherrod DeGrippo.

“Additionally, the malware is quite sophisticated, and demonstrates being in ongoing, active development, introducing new methods of evading detection.

Leave a Reply