blog

The Return of Bumblebee Malware

Written by Securafy Team | Mar 12, 2024 3:00:00 PM

Thousands of organizations worldwide remember the Bumblebee malware that surfaced in March 2022, allowing dozens of cybercriminal threat actors to drop payloads on targeted victims. 

Although researchers noticed this malware loader disappeared in October 2023 after its long run of terror, Proofpoint, an enterprise security firm, noted its revival this February, about four months later. With it surfaced new malware variants hackers are now using as part of new campaigns comprising thousands of emails. Below, we'll relay how these emails work and how businesses can protect themselves. 

How Do the Emails Work?

The emails, which come from "info@quarlesaa[.]com", have subject lines that read "voicemail February" since they try to convince employees that they have a missed voice message. Suppose the employee clicks on the Microsoft OneDrive URL. In that case, it redirects them to Word files with names like "ReleaseEvans#96.docm" or some variation while impersonating a company.

Launching the link initiates the PowerShell command that runs the Bumblebee loader. From there, the attackers use anything, from deployed ransomware to macro-themed attacks, to collect information, ask for ransom, or bring down a company or competitor. 

This campaign is different from previous ones since some previously observed methods included URLs that led employees to download DLL to initiate Bumblebee. Other methods include:

  • Using HTML attachments that encourage HTML smuggling that pushes a RAR file and exploits WinRAR flaw CVE-2023-38831 for a Bumblebee download
  • Zipped VBS attachments with password protection that use PowerShell to download the malware loader
  • Zipped LNK files that download executable files with Bumblebee 

What Can You Do To Keep From Becoming a Victim?

Whatever form Bumblebee malware takes, it's best to know how to identify threats to avoid them. Threat research shows that current sender addresses and OneDrive URLs coincide with previous TA579 activities, so organizations should look for malicious emails with the above information. 

Alongside staying away from any link that downloads and executes Bumblebee, your company should implement basic security practices, such as employee training that teaches your workers how to identify scams like phishing emails. Unfortunately, even with this, there is more complex and sophisticated malware that may trick your workers, so try security scanning software for emails. This software notes and flags all messages it believes to be malware before they reach your employees, creating more steps the malware has to go through. That lessens its chances of affecting your company. 

Don't Become a Victim of Malware!

Researchers believe this campaign will continue until the summer. So, take the right precautions and don't become one of the companies that fall for phishing emails.