The Bumblebee loader is increasingly being used by threat actors linked to the IcedID, TrickBot, and BazarLoader malware to infiltrate target networks and carry out additional post-exploitation operations.
“[We] observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors,” read the document.
The information was released on Thursday by the Cybereason Global Security Operations Center (GSOC) team in the form of a fresh advisory about Bumblebee.
According to Cybereason, the bulk of Bumblebee infections were initiated by end users running LNK files, which load the malware via a system binary.
Bumblebee operators apparently did extensive surveillance after system compromise and diverted command execution output to files for exfiltration.
“Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee,” wrote Cybereason researchers Meroujan Antonyan and Alon Laufer.
“The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement,” read the technical write-up. “The time it took between initial access and Active Directory compromise was less than two days.”
Cybereason asserts that Bumblebee needs to be handled as a serious threat due of the attack’s aggressivity.
“Based on GSOC findings, the next step for the threat actors is ransomware deployment, and this loader is known for ransomware delivery,” warned the advisory. For perspective, the Google Threat Analysis Group initially identified the Bumblebee malware loader in March 2022. Its user agent, known as “Bumblebee,” which is utilised in contact with the command and control server, is responsible for the name (C2).
The rise of Bumblebee attacks and how the malware loader is displacing others, most notably BazarLoader, have not gone unnoticed by other security research organisations, including Cybereason. In reality, Proofpoint addressed Bumblebee in an alert that was first published in April.
- Bumblebee Loader is a tool used by hackers to breach target networks
- Check all news and articles from the latest Security news updates.