Bumblebee malware: on a buzz and back stinging

An unidentified cybercriminal gang codenamed Bumblebee has returned to the malware scene with a campaign that targeted thousands of potential victims.

The research was unveiled on February 13th by cybersecurity analyst Proofpoint, which said it first spotted the malware’s return to the web the previous week. It was found in a faked Word document pretending to be from a legitmate company as a lure.

To date, Bumblebee has not been aligned with a known cybercriminal group, but Proofpoint describes the malicious software as a “sophisticated downloader used by multiple cybercriminal threat actors” that it first observed in March 2022 until it mysteriously vanished last October.

But now it would appear that whatever gang was responsible for Bumblebee is back stinging. Proofpoint said that it recently observed several thousand emails with a Word document attached being sent to organizations in the US, under the subject heading “Voicemail February.”

Copy of email lure sent to targets titled Voicemail February
Copy of the email lure sent to targets by threat actors behind Bumblebee malware

The document was disguised as a communication from the legitimate consumer electronics firm Humane, but in fact was crafted by the Bumblebee gang and contained a payload of malware.

The infected document used macros to creat a script in a temporary Windows directory and drop a file containing a hostile program that downloads and activates the Bumblebee malware in the targeted machine.

Proofpoint was initially somewhat light on details as to what specific criminal purposes the malware can be put to once installed, but has said it “assesses with high confidence that Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware.”

When asked to clarify further, a spokesperson told Cybernews: “Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities."

Proofpoint added that it believes Bumblebee is intended as a precursor to follow-up cyberattacks.

"Bumblebee's objective is to download and execute additional payloads," a spokesperson told Cybernews. "Proofpoint researchers have previously observed Bumblebee dropping Cobalt Strike, shellcode, and Sliver among other malware."

Proofpoint says it managed to intercept all the attempts it detected to deploy Bumblebee against victims, but warns that similar campaigns are likely to ramp up as the year continues.

NB: This article was amended at around 10.00 ET to add further quotes from a Proofpoint spokesperson.

More from Cybernews:

Facebook Marketplace database out in the wild

AI cannot be listed as inventor, human element a must, USPTO says

US Government Accountability Office breached by CGI Federal

Election security tops CISA's 2024 joint cyber defense priorities

US judge orders Elon Musk to testify in SEC's Twitter probe

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked