A recently uncovered malware loader called Bumblebee has been found to be connected to a number of prominent ransomware groups and has been a key component of many cyberattacks. New findings by the Symantec Threat Hunter Team, part of Broadcom Software, discovered that the tool has links to threat groups such as Conti, Quantum and Mountlocker, per the team’s blog entry.
According to Symantec’s Threat Hunter Team, the Bumblebee loader may have been used as a replacement for Trickbot and BazarLoader, due to the overlap in recent activity involving Bumblebee and older attacks linked to these loaders.
“[Bumblebee] appears to have replaced a number of older loaders, which suggests that it is the work of established actors and that the transition to Bumblebee was pre-planned,” the team wrote in its blog post.
How the Bumblebee loader becomes a threat
One particular attack singled out by the team stemming from Quantum ransomware detailed how the Bumblebee loader is put into practice. The initial infection came through use of a spear-phishing email, which had an attachment of an ISO file. The malicious file in question was equipped with a Bumblebee DLL file and a LNK file, which then loaded the Bumblebee file using rundll32.exe.
The Bumblebee loader allegedly then contacted a command-and-control server according to the team, and created a duplicate file within the %APPDATA% folder with a randomized name. In conjunction with this, a VBS file was also created within the same location. Then, the loader organized a scheduled task to run the VBS file every 15 minutes. After a few hours had passed, the loader dropped a Cobalt Strike payload. This action led to two additional points: One being that Metasploit DLL was injected into a legitimate Windows process and the second coming from an AdFind tool to collect system information such as domain users and group permissions for the system.
After this task was completed, the Quantum ransomware was unloaded by Bumblebee, allowing the ransomware group to encrypt files of the targeted system. Once in the system, Quantum then was able to scrape the system for user information using Windows Management Instrumentation. The ransomware payload also disabled any processes related to malware identification.
SEE: Mobile device security policy (TechRepublic Premium)
Bumblebee’s connection to previous attacks
Due to Bumblebee’s use of the tools formerly mentioned, it is believed by the Threat Hunter Team that there is a connection between the new loader and ones used previously by cybercriminal groups. One such link comes from the use of AdFind, a publicly available tool for querying Active Directory and having been used by other adversaries in the past. The deployment of an ISO file with the intent to infect a system was also the initial infection point for victims in previous attacks, dating back as far as June of 2021 and used by threat groups Ryuk and Conti.
Another link comes from the use of a batch script known as adf.bat. The batch script has been tied to cyberattacks going back to November 2021, along with the use of the AdFind tool in these attacks. In that case, the loader was determined to be BazarLoader.
Many of the attacks being investigated by the Threat Hunter Team also found the use of legitimate software tools within the attacks themselves. For organizations employing remote desktop tools this can cause major issues, having been linked to a number of ransomware deployments and data exfiltration purposes. Symantec’s team recommends that users and enterprises be on the lookout for this new malware loader and the capabilities it possesses.