Hackers Deploy Bumblebee Loader to Breach Target Networks

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently conduct post-exploitation activities.

The news comes from the Cybereason Global Security Operations Center (GSOC) team, who published a new advisory about Bumblebee on Thursday.

“[We] observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors,” read the document.

The majority of the Bumblebee infections spotted by Cybereason reportedly started by end-users executing LNK files which use a system binary to load the malware.

“Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee,” wrote Cybereason researchers Meroujan Antonyan and Alon Laufer.

After infiltrating a system, Bumblebee operators then reportedly conducted intensive reconnaissance activities and redirected the output of executed commands to files for exfiltration.

“The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement,” read the technical write-up. “The time it took between initial access and Active Directory compromise was less than two days.”

According to Cybereason, because of the aggressiveness of the attack, Bumblebee must be treated as a critical threat.

“Based on GSOC findings, the next step for the threat actors is ransomware deployment, and this loader is known for ransomware delivery,” warned the advisory.

For context, the Bumblebee malware loader was first discovered by Google Threat Analysis Group in March 2022. It owes the name to its user agent, dubbed ‘Bumblebee,’ which is used as part of the communication with the command and control server (C2).

Cybereason is not the first security research group noticing the surge of Bumblebee attacks and how the malware loader is replacing others, particularly BazarLoader. In fact, Proofpoint released an advisory first addressing Bumblebee in April.