Bumblebee malware emerges as replacement to Conti gang’s BazalLoader

Researchers on Thursday reported that a new downloader called Bumblebee traced to the Conti ransomware gang with reportedly strong ties to Russia has replaced BazalLoader.

In a blog post, Proofpoint researchers said they had not detected BazalLoader in their threat research since February 2022. The researchers said Bumblebee acts as a sophisticated downloader that contains anti-virtualization checks and a unique implementation of common downloader capabilities despite it being so early in the malware’s development.

The researchers said they observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter. The malware name comes from the unique user-agent “bumblebee” used in early campaigns. Proofpoint said Bumblebee’s aims to download and execute additional ransomware payloads.

The Conti Leaks pulled the curtains back and exposed the Conti ransomware syndicate’s library of techniques, tactics, and procedures, which likely included information about their use of the BazaLoader malware, said Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. Hoffman said It’s no surprise to see a new tool — in this case the BumbleBee loader — emerging to take its place.

“Due to Conti Leaks, we may continue to see new techniques and potentially more tools surface in the cyber threat landscape,” Hoffman said. “This is significant because even after an intrusive leak, Conti operations have continued, and the group remains one of the most active and pernicious ransomware groups.”

Jason Hicks, Field CISO and executive advisor at Coalfire, said the use of an APC injection versus DLL injection would potentially make this malware somewhat harder to detect from an anti-malware/EDR prospective. Hicks said to detect something like this, the tools are using some combination of machine learning, and in some cases, artificial intelligence.

“If most of the models are trained to detect DLL injection and not APC injection, it may decrease the detection accuracy rate,” Hicks said. “As this becomes more prevalent, I’d expect the tools to start detecting both of these methods with equal frequency. Relying on traditional signature based AV would not be a good way to protect your firm from these kinds of attacks.”

Saryu Nayyar, founder and CEO and of Gurucul, said Proofpoint’s research shows how threat actors use multiple techniques, but also vary their techniques to not only compromise organizations, but also evade most SIEM and XDR platforms.

“While most SIEM and XDR solutions already lack the necessary analytics across numerous data sources, the real issue is that they rely on rule-based machine learning models that are fixed and unable to adapt to threat actor’s varying techniques and tools,” Nayyar said. “This allows attackers to easily deliver malicious payloads once they have gained initial entry into the network, most often via a phishing attack.”