Malware News Bumblebee malware returns after recent law enforcement disruption

Gandalf_The_Grey

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Content source
https://www.bleepingcomputer.com/news/security/bumblebee-malware-returns-after-recent-law-enforcement-disruption/
The Bumblebee malware loader has been spotted in new attacks recently, more than four months after Europol disrupted it during 'Operation Endgame' in May.

Believed to be the creation of TrickBot developers, the malware emerged in 2022 as a replacement for the BazarLoader backdoor to provide ransomware threat actors access to victim networks.

Bumblebee typically achieves infection via phishing, malvertising, and SEO poisoning that promoted various software (e.g. Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace).

Among the payloads typically delivered by Bumblebee are Cobalt Strike beacons, information-stealing malware, and various ransomware strains.

In May, an international law enforcement operation codenamed 'Operation Endgame' seized over a hundred servers supporting the multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.

Ever since, Bumblebee went silent. However, researchers at cybersecurity company Netskope observed new Bumblebee activity tied to the malware, which could indicate a resurgence.
Click to expand...
The most recent Bumblebee attack chain starts with a phishing email that lures the victim to download a malicious ZIP archive.

The compressed file contains a .LNK shortcut named Report-41952.lnk, which triggers PowerShell to download a malicious .MSI file (y.msi) disguised as a legitimate NVIDIA driver update or Midjourney installer from a remote server.

The MSI file is then executed silently using msiexec.exe with the /qn option, which ensures that the process runs without any user interaction.

To avoid spawning new processes, which is noisier, the malware uses the SelfReg table within the MSI structure, which instructs msiexec.exe to load the DLL into its own address space and to invoke its DllRegisterServer function.

Once the DLL is loaded and executed, the malware's unpacking process begins, leading to the deployment of Bumblebee in memory.
Click to expand...
www.bleepingcomputer.com

Bumblebee malware returns after recent law enforcement disruption

The Bumblebee malware loader has been spotted in new attacks recently, more than four months after Europol disrupted it during 'Operation Endgame' in May.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: harlan4096

Similar threads

[correlate]
    • +Reputation
    • Like
Security News Bumblebee Malware Returns with New Tricks, Targeting U.S. Businesses
Replies
1
Views
1,014
Security News
Bot
Bot
nicolaasjan
    • Like
    • +Reputation
Security News Police take offline multiple botnets used in ransomware attacks
Replies
0
Views
1,804
Security News
nicolaasjan
nicolaasjan
Gandalf_The_Grey
    • +Reputation
    • Applause
    • Like
Security News Police arrest Conti and LockBit ransomware crypter specialist
Replies
0
Views
1,278
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top