Hackers Deploy New Malware Loader Called "Bumblebee"

Researchers discovered a new malware loader being used in the wild. The tool is called "Bumblebee" and is associated with several different cybercriminal outfits.

The team that picked apart the new malware loader is with security firm Proofpoint. The team was tracking several "crimeware threat outfits" who were previously using a couple of different loaders to spread malware, called "BazaLoader" and "IcedID". Now it seems the outfits using BazaLoader have entirely switched to using Bumblebee, as Proofpoint has not detected a single instance of the old tool since February 2022.

BazaLoader replaced by Bumblebee

Proofpoint's observations overlap with data collected by the Google Threat Analysis Group. According to the report, after BazaLoader disappeared from the online landscape in February, it was replaced by Bumblebee, with the first sightings of the new loader in the wild dating to March 2022.

The researchers believe Bumblebee is still being actively developed, but despite this, the loader already sports a number of advanced features. Those include advanced checks to dodge virtual sandboxes and original variations of commonly used downloader functionality.

Attack uses malicious archive and ISO file

Bumblebee is being used in malicious email campaigns. Lures include links urging the victim to "REVIEW THE DOCUMENT", with the email claiming an invoice is on the other end of the link. What is really on the other end is a disk image .iso file, zipped up in an archive file and hosted on OneDrive.

Opening the zip file reveals the .iso inside it. Once that is opened too, it shows two files inside it. Both of them are named "Attachment". One is a .lnk shortcut file, the other is a .dat file that is just over 2 megabytes in size.

If the shortcut file is executed, it loads up Bumblebee from the .dat file and deploys the loader.

Proofpoint believes the campaign currently using Bumblebee is run by the threat actor going by the handle TA579.

Several other similar campaigns were also observed, one using email thread hijacking, another was abusing emails that were generated using the "Contact us" section on websites. Delivery methods were similar, with a differently named payload and a shortcut .lnk file being used again.

According to Proofpoint, the loader can be used as a tool for gaining access to a network and delivering secondary payloads, including ransomware.

By Zaib
April 28, 2022
Computer Security
English
April 28, 2022
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

Remove EnvyScout Malware

The APT29 hackers, also tracked under the group name Nobelium, have recently unleashed a new attack campaign, which uses a whole new array of malware samples. The previously undetected malware families are likely to... Read more

June 1, 2021
Malware

Campo Loader Delivers Additional Malware to Japanese Victims

Yet another cybercrime campaign is targeting users and organizations in Japan. Experts suspect that the malicious attacks have been taking place since October 2020, but they were only identified and analyzed around... Read more

May 14, 2021
Malware

North Korean Hackers Reveal the Goldbackdoor Malware

North Korea's hacking groups are among the most notorious cybercrime organizations in the world. The majority of their attacks are either financially or politically motivated. One of the latest payloads they use is... Read more

April 27, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.