A recent report revealed that, four months after its sudden disappearance, the notorious Bumblebee malware has emerged once again with different US-based organizations as its target. 

It was observed that a number of different organizations based in the US started receiving thousands of emails. Bumblebee malware tricks the users by sending them emails, themed on voicemails, which contain URLs of OneDrive. 

In this article, we will cover all the details of Bumblebee malware in the US and the techniques employed by this cyber security threat. 

Threat Actors Behind Bumblebee Malware

Bumblebee malware first came into the spotlight in March of 2022 and quickly rose to prominence as a loader.  Although cybersecurity experts are not sure who exactly developed the Bumblebee malware, it is believed that the Conti and TrickBot syndicate is the main actor behind the notorious malware used to execute ransomware payloads. 

After its inception, the malware has been deployed by the cybersecurity threat actors who are often associated with BazaLoader and IcedID. It is important to know here that the cybersecurity threat actors involved in the malware used malicious VBA macros in the documents.

Bumblebee Malware Attack Method

The previous Bumblebee malware attack techniques utilized the Web Distributed Authoring and Versioning (WebDAV) servers. WebDAV provided a smart way for the cyber threat actors to enter the system of the victim. The previous campaigns sent zipped files to the users through an email. 

Written in C++ programming language, the malware facilitates the execution of additional payloads on a device such as Silver, Shellcode, and Cobalt Strike. Coinciding with the reappearance of PikaBot, ZLoader, and QakBot, the Bumblebee malware attack method includes sending the organizations emails that contain links to OneDrive URLs. 

These emails are usually voicemail-themed. The URLs direct the user to a macro-enabled Microsoft Word document that, upon opening, launches a PowerShell command by leveraging VBA. A remote server then initiates another PowerShell script, which eventually runs the malware.  

The QakBot is spread as Microsoft Software Installer (MSI) files. A Windows.cab (Cabinet) archive which has DLL. This DLL is extracted and executed using shellcode by the MSI file. 

A Looming Danger

As mentioned earlier, the malware is used by the same threat actors who were using BazaLoader previously. This is a worrying sign because it indicates that these cybersecurity threat actors have access to a common source that provides them with the malware.

Conclusion

The re-emergence of the Bumblebee malware that attacks organizations in the US is an alarming sign. Furthermore, the use of advanced attack methods makes detecting the malware difficult for cybersecurity experts. 

There is an urgent need to deploy robust cybersecurity measures for safeguarding against Bumblebee. If not addressed properly, the presence of the malware in the US will mean that organizations will never be safe from this new wave of cyberattacks. 

The sources for this piece include articles in The Hacker News and TechRadar Pro.

The post Bumblebee Malware Targets US Businesses With New Methods appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/bumblebee-malware-targets-us-businesses-with-new-methods/