February 14, 2024 at 07:15AM
Infamous malware loader Bumblebee resurfaces in a new phishing campaign targeting organizations in the U.S. Proofpoint warned about voicemail-themed lures leading to Word files with VBA macros launching PowerShell commands to execute Bumblebee. The attack chain relies on macro-enabled documents, coinciding with reappearance of new variants of QakBot, ZLoader, and PikaBot.
Key takeaways from the meeting notes on the NewsroomMalware / Cybercrime:
1. The notorious malware loader, Bumblebee, has reappeared after a four-month hiatus as part of a new phishing campaign targeting U.S. organizations. It leverages voicemail-themed lures containing links to OneDrive URLs and uses VBA macros to execute PowerShell commands and download and execute follow-on payloads such as ransomware.
2. Bumblebee is believed to be developed by threat actors associated with the Conti and TrickBot cybercrime syndicate, serving as a replacement for BazarLoader. It has been observed delivering BazaLoader (aka BazarLoader) and IcedID.
3. QakBot, ZLoader, and PikaBot have also reemerged, with more sophisticated features such as stronger encryption, increased ability to detect virtual machine and sandbox environments, and improved communication encryption using AES-256.
4. The dismantling of QakBot’s infrastructure in late August 2023 did not eliminate the threat, as new variants have emerged, demonstrating modifications and experimentation by those with access to the original source code.
5. Malwarebytes has reported a new campaign involving phishing sites mimicking financial institutions to trick targets into downloading legitimate remote desktop software, ultimately allowing threat actors to gain control of the machine.
Feel free to reach out if you need any more information or assistance!