Several threat groups believed to be initial access facilitators for some ransomware gangs are transitioning to a new first-stage malware downloader dubbed Bumblebee. The groups previously used other downloaders like BazaLoader and IcedID.
According to researchers from security firm Proofpoint, Bumblebee email-based distribution campaigns started in March and were linked back to at least three known attack groups. The malware is used to deploy known penetration testing implants such as Cobalt Strike, Sliver and Meterpreter.
Attackers have adopted these attack frameworks and other open-source dual-use tools in recent years to engage in hands-on manual hacking and lateral movement through victim networks.
"Bumblebee is a sophisticated downloader containing anti-virtualisation checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development," the Proofpoint researchers said in their report.
"The increase of Bumblebee in the threat landscape coincides with BazaLoader -- a popular payload that facilitates follow-on compromises -- disappearing recently from Proofpoint threat data."
How is Bumblebee distributed?
So far Bumblebee has been distributed through email spear-phishing messages that used different lures to trick users into downloading and opening ISO files with the Bumblebee malware inside. ISO files are used to store file system copies of optical discs as a disc image, but are essentially an archive format.
In one March campaign attributed to a threat actor tracked as TA579, the rogue emails posed as notifications from DocuSign, a legitimate online document signing service used by businesses. The notifications included a "REVIEW THE DOCUMENT" hyperlink that directed users to download a zip archive from Microsoft OneDrive.
The archive contained the ISO file which in turn contained two files called Attachments.lnk and Attachments.dat. The LNK file, which on Windows computers is used for application and file shortcuts, contained the right parameters to execute Attachments.dat (Bumblebee) by invoking Windows' rundll32.exe service.
The same email also contained an HTML attachment with a hyperlink which, when clicked, took users through a redirection service to the same ISO file download from OneDrive. This is meant to provide an alternative path to the same payload.
In a separate email campaign observed in March and attributed to a different known threat actor tracked as TA578, the attackers took a more targeted approach. They used the web-based email contact form on the target organisation's website to send a fake complaint about the website using stolen copyrighted images.
The email included a link to an ISO file hosted on Google Drive and called "Stolen images evidence." This ISO file contained a file called DOCUMENT_STOLENIMAGES.LNK that executed a copy of Bumblebee stored as neqw.dll.
In an April campaign, another threat actor used thread hijacking, a technique that involves sending an email that mimics a reply to a legitimate email thread between correspondents. This reply used an invoice-related lure and included an attachment called doc_invoice_[number].zip.
This ZIP file was password-protected and the password was provided in the email. Contained inside was an ISO file with a file called DOCUMENT.LNK configured to execute a copy of Bumblebee stored as tar.dll.
A shift in the toolset of ransomware gangs
Proofpoint believes that all these threat actors obtained the malware from a single source and that they are all so-called initial access brokers -- independent hackers that sell access to enterprise networks to ransomware gangs and other cyber criminal groups. TA578 was seen using Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike in the past. TA579 often used BazaLoader and IcedID in past campaigns.
The Proofpoint researchers note that these campaigns overlap with malicious email activity reported by Google in March and attributed to an access broker tracked as EXOTIC LILY that's closely linked with data exfiltration and the deployment of human-operated ransomware such as Conti and Diavol. Google observed EXOTIC LILY sending over 5000 emails a day to around 650 organisations globally.
The IcedID Trojan was used last year to distribute ransomware from a group called OnePercent or 1Percent that has ties to the infamous REvil (Sodinokibi) group that was reportedly raided by the Russian FSB in January.
Meanwhile, BazaLoader or Bazar Loader is believed to have been created as a more resilient replacement for the TrickBot Trojan and is associated with another notorious ransomware group called Conti (Ryuk). BazaLoader has also been used to distribute IcedID.
"BazaLoader’s apparent disappearance from the cyber crime threat landscape coincides with the timing of Conti Leaks, when, at the end of February 2022, a Ukrainian researcher with access to Conti’s internal operations began leaking data from the cyber criminal organisation," the Proofpoint researchers said. "Infrastructure associated with BazaLoader was identified in the leaked files."
If BazaLoader has been abandoned, the researchers believe more ransomware affiliates and initial access facilitators will adopt Bumblebee as a first-stage malware loader.
How does Bumblebee work?
Malware loaders such as Bumblebee are small malicious programs whose goal is to download and execute additional payloads on compromised machines without detection.
To achieve this, they use various techniques to inject or attach these payloads to existing legitimate processes. They also collect system information about the compromised computer that can later be used to uniquely identify the victim machine in the attackers' command-and-control panel.
According to Proofpoint's analysis, after execution Bumblebee uses the Windows Management Instrumentation (WMI) framework to query system information and build a unique ID for the infected machine. It then contacts the command-and-control server every 25 seconds looking for commands to execute.
Since the attackers appear to provide these commands and payloads manually, it can take hours after the initial infection until Bumblebee will proceed to the next steps.
The commands supported by the bot allow the attackers to directly download and execute files, to inject DLLs and shellcode into existing processes and to establish persistence on the system. The persistence mechanism involves copying the Bumblebee DLL to the %APPDATA% folder and creating a VBS script that will load the DLL based on a scheduled task.
The samples detected since March show that the loader is seeing active development with improvements being made and new features being added.
An example is the addition of anti-VM and anti-sandbox routines that are meant to prevent the malware from executing inside virtualised environments commonly used by researchers and honeypot systems. The loader now also has a list of processes associated with common tools used by malware analysts and defenders and it checks if they are running on the system.
In the latest samples, attackers can specify multiple command-and-control servers, the query time has been modified from 25 seconds to random intervals and the communication with the C&C servers is now encrypted. All these changes are meant to make the malware's activity stealthier and harder to detect.
"Proofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware," the researchers said.
"Based on the timing of its appearance in the threat landscape and use by multiple cyber criminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favoured other malware."