- The 70+ best Black Friday TV deals 2024: Save up to $2,000
- This AI image generator that went viral for its realistic images gets a major upgrade
- One of the best cheap Android phones I've tested is not a Motorola or Samsung
- The best VPN services for iPhone: Expert tested and reviewed
- Docker Desktop 4.36 | Docker
Hackers Deploy Bumblebee Loader to Breach Target Networks
Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently conduct post-exploitation activities.
The news comes from the Cybereason Global Security Operations Center (GSOC) team, who published a new advisory about Bumblebee on Thursday.
“[We] observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors,” read the document.
The majority of the Bumblebee infections spotted by Cybereason reportedly started by end-users executing LNK files which use a system binary to load the malware.
“Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee,” wrote Cybereason researchers Meroujan Antonyan and Alon Laufer.
After infiltrating a system, Bumblebee operators then reportedly conducted intensive reconnaissance activities and redirected the output of executed commands to files for exfiltration.
“The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement,” read the technical write-up. “The time it took between initial access and Active Directory compromise was less than two days.”
According to Cybereason, because of the aggressiveness of the attack, Bumblebee must be treated as a critical threat.
“Based on GSOC findings, the next step for the threat actors is ransomware deployment, and this loader is known for ransomware delivery,” warned the advisory.
For context, the Bumblebee malware loader was first discovered by Google Threat Analysis Group in March 2022. It owes the name to its user agent, dubbed ‘Bumblebee,’ which is used as part of the communication with the command and control server (C2).
Cybereason is not the first security research group noticing the surge of Bumblebee attacks and how the malware loader is replacing others, particularly BazarLoader. In fact, Proofpoint released an advisory first addressing Bumblebee in April.
