Introduction
BumbleBee is a fairly new malware loader that targets Windows computers. The initial discovery occurred in March 2022, marking a full year since its emergence. In this blog post, we’ll summarize BumbleBee’s activities, features, and important points based on the research published over the past year.
Getting a handle on the BumbleBee loader malware is vital in today’s ever-changing threat landscape, as it has emerged as a significant threat, playing a starring role in several high-profile attacks against diverse organizations, from financial institutions to government agencies. This loader is no slouch when it comes to deploying extra payloads and pulling off anti-analysis tricks, showcasing the growing sophistication and complexity of today’s cyber shenanigans. With malspam campaigns and spear phishing attacks as its primary modes of entry, BumbleBee poses a real threat to countless organizations
From Humble Beginnings to High-Profile Cyber Attacks
In the beginning, BumbleBee was still being developed and improved. With ongoing work and new features, the latest version of the loader was released with the ability to download additional code and numerous evasion techniques to hinder manual and dynamic analysis techniques. Since then, some well-known threat actors have started using BumbleBee in their attacks: Google’s Threat Analysis Group (TAG) found that BumbleBee was first used by a very busy group of cybercriminals called EXOTIC LILY. This group helps other criminals get access to computer systems and is thought to be working with WIZARD SPIDER, the group behind the Conti/Trickbot/Diavol malware.
It looks like BumbleBee has taken the place of BazaLoader, another famous malware loader that criminals used to use a lot. Proofpoint reported that BazaLoader hasn’t shown up in any cyberattacks since February 2022. This supports the idea that BumbleBee has taken the reins from BazaLoader.
According to IBM X-Force researchers, BumbleBee has been found to be in cahoots with the Ramnit banking trojan, a seasoned troublemaker dating back to 2010. The two malware families are believed to be associated as there are multiple code and behavioral similarities between the two, such as near-identical target lists for code injections and how hooking and unhooking techniques are implemented.
As of February 2023, BumbleBee’s evolution persists, further enhancing its ability to protect itself from detection and resist automated malware analysis.
Crafty Attack Vectors Uncovered
According to Google TAG’s analysis, the bad actors behind BumbleBee throw in a hefty dose of human touch to up their chances of success through spear phishing emails. They’ve even started riding the wave of interest in ChatGPT to get their foot in the door. The threat actors are observed to use popular file-sharing services like OneDrive, TransferNow, and WeTransfer to deliver its payload to victims. The attackers reel in their prey by engaging in persistent chit-chat and posing as legitimate business proposals, all while skillfully weaving their web of social engineering.
Another observation is that these threat actors often send malicious ISO files as email attachments or links, duping victims into downloading their payloads. These ISO files hold Windows shortcuts (LNK files) and DLLs, which spring into action using rundll32.exe to unleash the BumbleBee loader. Of note, BumbleBee has followed in the footsteps of QBot by incorporating malicious ISO files into its delivery chain, making it one of the earliest malware families to adopt this tactic.
Flying under the radar
Once BumbleBee breaches its target, it runs anti-analysis checks to sidestep virtual environments like sandboxes. Much of the code behind these checks is ripped straight from the open-source Al-Khaser project. One ace up BumbleBee’s sleeve is a technique called “hook evasion,” which involves modifying the native system functions to dodge security software. By tweaking these functions, BumbleBee can sidestep the anti-malware tools that count on hooking to observe and intercept system calls. In this case, the loader’s endgame is to stay stealthy and fly under the radar within the target system, enabling it to safely deliver and execute its wicked payloads, without tripping security alerts. On top of hook evasion, the malware also turns to “software packing,” a method of compressing or encrypting an executable. Packing an executable alters the file signature, aiming to outsmart signature-based detection methods.
After clearing the anti-analysis hurdles, the malware is ready to roll up its sleeves and get down to business: deploying the necessary payloads. Over the last 1 year, BumbleBee has been spotted dropping payloads such as Cobalt Strike, Meterpreter, Sliver, and shellcode.
Head over to our Threat Feed to dive deep into a BumbleBee sample analysis report.
Wrapping up
We’re only a year into research on the BumbleBee loader, and while information remains scarce, there are indications that it continues to undergo significant development. To delve deeper into its evolution, we invite you to join us at the FIRST Conference this summer: https://www.first.org/conference/2023/program#pBusy-Bees-The-Transformation-of-BumbleBee
References
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
https://www.proofpoint.com/us/blog/threat-insight/BumbleBee-is-still-transforming
https://twitter.com/Max_Mal_/status/1636365857726296065?s=20
https://www.vmray.com/analyses/_mb/51bb71bd446b/report/overview.html
