New Bumblebee Loader Infection Chain Signals Possible Resurgence
Oct. 21, 2024, 11:24 a.m.
Description
A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike beacons and ransomware. The infection likely begins with a phishing email containing a ZIP file with an LNK file. When executed, it triggers a series of events to download and execute the Bumblebee payload in memory. The new approach uses MSI files disguised as Nvidia and Midjourney installers, employing a stealthier method to avoid creating new processes and writing the payload to disk. This technique differs from previous campaigns and demonstrates the evolving tactics of the threat actors behind Bumblebee.
Tags
Date
- Created: Oct. 21, 2024, 10:59 a.m.
- Published: Oct. 21, 2024, 10:59 a.m.
- Modified: Oct. 21, 2024, 11:24 a.m.
Indicators
- d3f551d1fb2c307edfceb65793e527d94d76eba1cd8ab0a5d1f86db11c9474c3
- d1cabe0d6a2f3cef5da04e35220e2431ef627470dd2801b4ed22a8ed9a918768
- c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9
- 7df703625ee06db2786650b48ffefb13fa1f0dae41e521b861a16772e800c115
- 2bca5abfac168454ce4e97a10ccf8ffc068e1428fa655286210006b298de42fb
- 106c81f547cfe8332110520c968062004ca58bcfd2dbb0accd51616dd694721f
- 0ab5b3e9790aa8ada1bbadd5d22908b5ba7b9f078e8f5b4e8fcc27cc0011cce7
- 193.242.145.138
- 193.176.190.41
- http://193.242.145.138/mid/w1/Midjourney.msi
- http://193.176.190.41/down1/nvinstall.msi
Attack Patterns
- Bumblebee - S1039
- Latrodectus
- Pikabot
- DarkGate
- IcedID - S0483
- Cobalt Strike - S0154
- T1218.010
- T1553.002
- T1218.007
- T1059.001
- T1547.001
- T1204.002
- T1055
- T1566