A latest report by Proofpoint has uncovered that attackers are using a new malware loader named Bumblebee. These threat actors were previously known for delivering BazaLoader and IcedID loaders.
According to the write-up, Bumblebee, a sophisticated malware loader, has been active in the cyberspace since March 2022, post the absence of BazaLoader. It must be noted that Bumblebee is capable of nuanced techniques, like anti-virtualization, for instance.
The Bumblebee downloader’s debut campaign involved “a DocuSign-branded email campaign with two alternate paths designed to lead the recipient to the download of a malicious ISO file.” The same email contained a HTML document with a URL embedded to it.
“The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim. The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.”
The researchers observed that multiple independent threat groups that deployed the malware loader are receiving it from the same source. Additionally, the development surrounding Bumblebee have also coincided with the Conti Leaks that dates back to February 2022, when a Ukrainian researcher blew the lid off the the operations involving the Ransomware-as-a-service gang. Coincidentally, Bazaloader, whose operations ceased on February 2022, was identified in the leaked files.
