After Operation Endgame: Bumblebee malware in circulation again
Four months after the large-scale takedown of various botnets by the authorities, the Bumblebee malware is apparently being used in attacks again.
The Bumblebee malware had disappeared from the scene after Operation Endgame. Now it has reappeared.
(Image: solarseven/Shutterstock.com)
After botnets of the Bumblebee malware were initially taken offline in May following a large-scale joint operation by security authorities in several countries and the malware disappeared from the scene for the time being, it has now apparently reappeared. This is reported by security researchers from Netskope.
More inconspicuous than before
The Bumblebee infection discovered by Netskope presumably begins with a phishing email containing a ZIP file with an LNK file called "Report-41952.lnk". As soon as it is executed, it starts the attack chain and loads the malicious code directly from the network into memory. In the examples analyzed by the researchers, this was disguised as an installation program from Midjourney or Nvidia. Because it avoids creating new processes, this new version of the malware is even less conspicuous, according to the researchers. The researchers have published a list of so-called Indicators of Compromise (IoC) on GitHub, which can be used to check whether your own systems have been infected.
Videos by heise
The malware named after the friendly insect was first spotted by Google's Threat Analysis Group (TAG) in March 2022 and used the name "Bumblebee" as part of the user agent in the referrer. At that time, IT security experts noticed for the first time that cybercriminals, who previously mainly used another malware called BazarLoader or alternatively IcedID, had often switched to the Bumblebee loader. This type of malware is also called a dropper. It is a package containing a virus that infects a system and then downloads further malware. The dropper serves as a carrier for the virus. It is assumed that the Bumblebee loader was developed by the Trickbot ransomware group to gain initial access to the infrastructure of its victims during ransomware attacks.
In 2023, the Bumblebee malware was then used in malvertising campaigns. The attackers used it to offer Trojanized installation programs for professional software. They placed these malware packages on search engines using SEO poisoning and malvertising.
The Bumblebee loader also infects attacked systems in other ways, for example because unsuspecting users execute so-called LNK files that load the malware via a system binary. The LNK files are usually distributed to victims via phishing emails, which either contain a link to an archive containing the malware or a corresponding email attachment. According to an earlier analysis by Cyberreason experts, it can take less than two days between a system in an Active Directory environment being infected and compromised.
(kst)
