Nilaa Maharjan, Logpoint Global Services & Security Research

This blog post provides an overview of the research conducted on a new malicious loader dubbed Bumblebee. It is being used by at least three cybercriminal groups that have links to ransomware gangs. Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol. The emergence of Bumblebee coincides with the swift disappearance of BazarLoader in recent weeks. The following blog and the accompanying Logpoint Emerging Threats Protection report look in-depth at the incident, the detection measures using Logpoint SIEM, and prevention and responses using Logpoint SOAR.

Researchers in early March of 2022 were startled by the hum of a new malicious downloader called Bumblebee. Tracing its roots in the Conti ransomware gang, the attack chain is reportedly being used by at least three clusters of activities replacing the BazarLoader with the Bumblebee malware.

In a blog post, Proofpoint researchers said they had not detected BazarLoader in their threat research since February 2022. Bumblebee seems to act as a sophisticated downloader bypassing most, if not all, virtualization checks by implementing its own unique capabilities even in its early phases of development. So far, researchers have observed Bumblebee being used to deploy all sorts of malware such as Cobalt Strike, shellcode, Sliver, and Meterpreter. The name comes from the User-Agent “bumblebee” used in the early campaigns. However, the Bumblebee is a gateway and aims to download and execute additional ransomware payloads.

Flight of the Bumblebee

Usually, malicious spam (MalSpam) campaigns deliver malicious documents (MalDoc) to lure the victims to interact with the MalDoc and execute the malicious macro code by clicking “Enable Content.” That in turn downloads and executes the malicious payload similar to other Conti ransomware attacks.

It was expected for the cyber threat groups to change their initial access techniques following the changes Microsoft applied recently to the default policy in their Office products: “Macros from the internet will be blocked by default in Office” and “Excel 4.0 (XLM) macros are disabled by default.” These changes impact both the attackers and the defenders as the attackers have been abusing Office documents with malicious macros for years and defenders have been allocating most of the attention and resources into monitoring these actions.

It appears that they’ve come up with a plan B. Bumblebee, in the wild, is being distributed in email phishing campaigns by at least three tracked threat actors. The threat actors have used multiple techniques to deliver Bumblebee. While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, cybersecurity researchers have observed several commonalities across campaigns, such as the use of ISO files, HTML files masqueraded as email replies, to contact forms containing shortcut files and DLLs and a common DLL entry point used by such actors within the same week.

Key Findings

Known Threat Actors:

Primary:

Conti (Ryuk)

Secondary:

EXOTIC LILY, TA578, TA579

  • A new malware loader called Bumblebee is being used by multiple crimeware threat actors previously observed delivering BazarLoader and IcedID.
  • Several threat actors that were known to use BazarLoader in malware campaigns have moved to Bumblebee. since its unusual disappearance. BazarLoader has not been seen since February 2022.
  • Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization.
  • Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).
  • Bumblebee is dropping Cobalt Strike, shellcode, Sliver, and Meterpreter for command and control.
  • Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns.

Jason Hicks, Field CISO and executive advisor at Coalfire, said the use of an APC injection versus a DLL injection would potentially make this malware somewhat harder to detect from an anti-malware/EDR perspective. Hicks said to detect something like this, the tools are using some combination of machine learning, and in some cases, artificial intelligence.

“If most of the models are trained to detect DLL injection and not APC injection, it may decrease the detection accuracy rate,” Hicks said. “As this becomes more prevalent, I’d expect the tools to start detecting both of these methods with equal frequency.” Relying on traditional signature-based applications would not be enough anymore to protect against these kinds of attacks.”

It is obvious that threat actors have been evolving to bypass traditional security systems by using existing vulnerabilities and by using new technology, tactics, and techniques as they appear. To keep in line or outpace them, the defense community must one-up themselves with the piling of security products that work alongside each other and plays to the strength of each other. A SIEM solution, like such provided by Logpoint, that incorporates user and behaviors analytics using ML should be a priority rather than a luxury at this point.

Bumblebee shows how threat actors use multiple techniques, but also vary their techniques to not only compromise organizations but also evade most SIEM and XDR platforms.

While most SIEM and XDR solutions already lack the necessary analytics across numerous data sources, the real issue is that they rely on rule-based machine learning models that are fixed and unable to adapt to threat actors’ varying techniques and tools. This allows attackers to easily deliver malicious payloads once they have gained initial entry into the network, most often via a phishing attack.

Adding a UEBA solution to a SIEM provides automated threat detection to find unknown threats, as it draws baselines for normal behavior using ML instead of relying on pre-defined rules. Read more about how UEBA works here.

We have created a curated list of Alerts that are available for download through the downloads page. Logpoint’s Security Research and Global Services teams have put together a report going into detail about the methods and evolution of Bumblebee, best security practices, and how to detect, investigate, and respond using Logpoint.

For more in-depth information:

For more in-depth information: