Proofpoint Unveils Return of Bumblebee Malware

Proofpoint researchers detected the return of Bumblebee malware in the cybersecurity threat landscape on February 8, 2024, following a hiatus of four months. Bumblebee, renowned for its sophistication as a downloader, had been a favored payload for various cybercriminal threat actors since its emergence in March 2022 until its disappearance in October 2023. In this latest campaign observed by Proofpoint, a wave of emails was targeted at organizations in the United States, featuring a subject line of "Voicemail February" and purportedly sent from "info@quarlesaa[.]com." These emails contained OneDrive URLs leading to Word documents spoofing the consumer electronics company Humane. The documents utilized macros to initiate a script execution process, eventually leading to the download and execution of the Bumblebee DLL with PowerShell. The script created by the document resided in the temporary Windows directory.

This campaign showcases a departure from previous Bumblebee distribution methods, incorporating VBA macro-enabled documents in its attack chain—a method uncommon among cybercriminal threat actors in recent times particularly since Microsoft elected to block macros by default in 2022. "It is notable that the actor is using VBA macro-enabled documents in the attack chain, as most cybercriminal threat actors have nearly stopped using them, especially those delivering payloads that can act as initial access facilitators for follow-on ransomware activity," explains Proofpoint researchers. Additional differences in tactics included the delivery method forgoing HTML smuggling, and the absence of the use of WinRAR vulnerability, CVE-2023-38831. Emphasizing the rarity of the attack chain, Proofpoint shares that out "of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros."

Despite the absence of explicit attribution, the campaign's characteristics bear resemblance to activities associated with threat actor TA579. Proofpoint emphasizes the potential threat posed by Bumblebee as an initial access facilitator for follow-on ransomware payloads, underlining the importance of robust cybersecurity measures in mitigating such risks. Furthermore, the resurgence of Bumblebee aligns with a broader trend of increased cybercriminal threat activity observed in the beginning months of 2024, characterized by the return of various threat actors and malware strains following temporary periods of dormancy. Previous reporting from Proofpoint, warns of activity from TA576 a threat actor who strikes during the tax season with specific lures targeting accountants and finance firms.