Sophisticated Bumblebee malware loader replaces BazaLoader after Conti leaks

Updated on: 15 November 2023

Jurgita Lapienytė
Chief Editor

At least three threat actors linked to ransomware campaigns are distributing sophisticated Bumblebee malware loader.

Previously observed delivering BazaLoader and IcedID, gangs have now switched to Bumblebee. According to researchers at Proofpoint, BazaLoader has not been seen for a couple of months.

BazaLoader, first identified in 2020, has been associated with ransomware groups, including Conti. It was primarily known for distributing the Trick banking trojan.

BazaLoader disappeared from the landscape after a Ukrainian researcher started publishing internal Conti data, including its infrastructure's ties with Bazaloader.

Both BazaLoader and Bumblebee are made to access vulnerable systems. Bumblebee is designed to download and execute additional payloads. It has been observed to drop Cobalt Strike, shellcode, Sliver, and Meterpreter.

"Proofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware. Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware," researchers said.

At least three clusters of activity currently distribute Bumblebee. Campaigns identified by Proofpoint overlap with activity detailed in the Google Threat Analysis Group blog as leading to Conti and Diavol ransomware.

Google's report analyzes an initial access broker Exotic Lily. It appears to be working with the Russian cybercrime Wizard Spider (FIN12). It also noted that Exotic Lily is closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.

"Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development," Proofpoint said.

Bumblebee is distributed in email campaigns by at least three tracked threat actors. For example, Proofpoint observed a DocuSign-branded email campaign to lead the recipient to the download of a malicious ISO file.

"While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week."