The Bumblebee loader is increasingly being used by hackers linked to the IcedID, TrickBot, and BazarLoader malware to infiltrate target networks and carry out additional post-exploitation operations.
When Google's Threat Analysis Group (TAG) exposed the actions of an initial access broker named Exotic Lily with connections to the TrickBot and the bigger Conti collectives in March 2022, Bumblebee initially came to light.
What is Bumblebee?
Researchers discovered that Bumblebee is a successor for the malware known as BazarLoader, which previously distributed the Conti ransomware.
Spam emails are where the Bumblebee virus first appears. The malicious Dynamic Link Library (DLL) file is finally dropped by the ISO file that can be downloaded using the link in this email. On the victim's computer, the DLL file continues to load Bumblebee's ultimate payload.
An identical replica of the data found on an optical disc, such as a CD or DVD, is stored in an archive file called an ISO file. They are primarily employed to distribute huge file sets intended for burning onto optical discs or backup optical discs.
Analysis by experts
According to Cybereason, most Bumblebee infections were initiated by end users executing LNK files, which load the malware via a system binary.
As per experts from Cybereason Meroujan Antonyan and Alon Laufer, "the virus is distributed by phishing emails with an attachment or a link to the malicious archive containing Bumblebee."
Bumblebee operators apparently did extensive surveillance after system compromise and diverted command execution output to files for exfiltration.
The loader is launched using the command found in the LNK file, which serves as a conduit for subsequent steps including persistence, privilege escalation, reconnaissance, and data theft.
After attaining elevated access to infected endpoints, the threat actor also uses the Cobalt Strike adversary simulation framework to move laterally throughout the network. By deploying AnyDesk remote desktop software, persistence is achieved.
The technical report stated that the hackers 'disrupted Active Directory and used confidential data such as users' logins and passwords for lateral movement. Less than two days passed between the initial access and the compromising of Active Directory.
Cybereason asserts that Bumblebee needs to be handled as a serious threat due to the attack's proactivity.
