Notorious Bumblebee Malware Re-emerges with New Attack Methods

The Bumblebee malware, known for its role as an initial access broker facilitating the download and execution of additional payloads like Cobalt Strike and Meterpreter, has made a comeback with fresh tactics after a period of dormancy. Proofpoint researchers observed a significant shift in the attack chain, diverging from previous Bumblebee patterns. This resurgence coincides with the return of various notorious threat actors who had gone quiet for a time , suggesting a renewed wave of cyber threats in early 2024 after a winter lull.

During its active period from March 2022 to October 2023, Bumblebee was a preferred tool for multiple threat actors featuring in 230 campaigns identified by Proofpoint. These campaigns often employed creative distribution methods, such as trojanizing popular software tools like Zoom and Cisco AnyConnect, as reported by Secureworks in April 2023.

In the recent campaign observed this month, Bumblebee utilized social engineering tactics, sending thousands of emails from a spoofed address with OneDrive URLs leading to Word documents disguised as voicemail messages. These documents contained macros that executed scripts in the Windows temporary directory, ultimately downloading and running the Bumblebee DLL from a remote server,

Analyst Comments:
What’s notable about this new campaign is the use of VBA macro-enabled documents in the attack chain, a departure from the trend where most threat actors have moved away from VBA documents. While Proofpoint hasn’t attributed the campaign to a specific threat actor, some techniques used align with past activities of groups like TA579.

Suggested Corrections:
Researchers at Proofpoint have published IOCs that can be used to detect and defend against the Bumblebee malware: