Initially discovered in April 2022, Bumblebee activity rose as BazarLoader activity dropped off. This hinted at the Conti ransomware gang, and TrickBot had switched malware to grant backdoor access for the ransomware on targeted networks. Since Bumble Bee’s discovery, the developers behind the malware have continued to boost the feature set of the malware, with the latest feature being the capability to add a DLL payload into memory. This allows for more stealthy operations and infections.
DLL stands for Dynamic Link Library that can be defined as follows,
“A dynamic link library (DLL) is a collection of small programs that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.”
Because DLLs are executed from memory with access permissions granted across applications, there are very few restrictions for calling .exe files.
This is exactly why hackers will look to load malware payloads as a DLL to execute from memory.
Returning to BumbleBee, previously the malware was distributed by emails carrying password-protected zipped ISO files that contained an LNK, for executing the payload, and a DLL file, the payload itself.
Recently the ISO file has been replaced by a VHD (Virtual Hard Disk) file that contains an LNK file. If the LNK file is executed a series of PowerShell commands are run.
The first command hides PowerShell from the end user while the second command loads the malware into memory.
To do this, the malware makes use of a PowerSploit module, typically a tool used in penetration testing.
PowerSploit is a collection of PowerShell scripts used for a variety of penetration testing tasks, however, in BumbleBee’s case, PowerSpoilt is used to conduct reflective injection to load the DLL into memory.
According to Cyble,
“PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process…This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system.”
With BumbleBee’s new execution flow, malware is never loaded to the machine's hard disk. This increases the chances that the malware will not be detected by the security software installed on the machine.
This improvement in the malware's stealth capabilities makes the malware far more of a potential threat.
As the malware is being used to grant initial access to compromised machines that can later have ransomware payloads delivered, the harder to detect BumbleBee will entice more ransomware gangs and affiliates to partner with BumbleBee.
As mentioned above BumbleBee was discovered in April 2022 following a decline in BazarLoader loader, one of Conti’s favored partners in gaining initial access to corporate networks.
It is widely accepted that BazarLoader was the work of TrickBot developers.
At the time of BumbleBees discovery, Google’s Threat Analysis Group discovered that BumbleBee had replaced BazarLoader as one of the main culprits for dropping CobaltStrike beacons, a tactic used by ransomware gangs to deliver payloads to already compromised networks.
In a report published shortly after the malware’s discovery researchers stated,
“Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development. Bumblebee's objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter. The malware name comes from the unique User-Agent "bumblebee" used in early campaigns.”
At this stage, BumbleBee was being distributed via a DocuSign-branded email campaign using the initial infection execution flow detailed above. In some instances, an HTML attachment was used to kick off the infection.
The HTML file masqueraded as an invoice which would then redirect to a redirect service that uses Prometheus TDS to filter downloads.
The filter searchers for based time zone and cookies of the potential victim. The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive.
ProofPoint’s conclusion to their earlier report is just as true now as it was when published. It read,
“Bumblebee is a sophisticated malware loader that demonstrates evidence of ongoing development. It is used by multiple cybercrime threat actors. Proofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware. Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware.”
Even now some months on it is still difficult to say if BumbleBee is BazarLoader’s direct replacement as detections of BumbleBee have not skyrocketed to completely surpass BazarLoader activity.
However, with attackers switching to ISO files and DLL payloads loaded to memory BumbleBee could be the new tool cybercriminals want to add to their arsenal.