Proofpoint Trust

This isn't Optimus Prime's Bumblebee but it's Still Transforming

Key Findings

  • Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.
  • Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee. BazaLoader has not been seen in Proofpoint data since February 2022. 
  • Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization.
  • Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).
  • Proofpoint observed Bumblebee dropping Cobalt Strike, shellcode, Sliver, and Meterpreter.
  • Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns.

Overview

Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. 

At least three clusters of activity including known threat actors currently distribute Bumblebee. Campaigns identified by Proofpoint overlap with activity detailed in the Google Threat Analysis Group blog as leading to Conti and Diavol ransomware.

Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development. Bumblebee's objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter. The malware name comes from the unique User-Agent "bumblebee" used in early campaigns. 

The increase of Bumblebee in the threat landscape coincides with BazaLoader – a popular payload that facilitates follow-on compromises – disappearing recently from Proofpoint threat data. 

Campaign Details

Proofpoint researchers have observed Bumblebee being distributed in email campaigns by at least three tracked threat actors. The threat actors have used multiple techniques to deliver Bumblebee. While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week.

Subscribe to the Proofpoint Blog