Cybersecurity Alert: Bumblebee Malware Resurfaces

After a four-month hiatus, the Bumblebee malware has reemerged, launching extensive phishing campaigns against thousands of organizations within the United States. Bumblebee, a loader discovered in April 2022, is believed to have been developed by the criminal groups Conti and Trickbot as a replacement for the BazarLoader backdoor. Typically disseminated through phishing emails to install additional malware on compromised devices, it can deploy tools such as Cobalt Strike for initial network penetration or conventional ransomware.

In its latest campaign, Bumblebee masquerades within counterfeit voice message notifications. Emails, purportedly from info@quarlesaa[.]com with the subject “Voicemail February,” distribute links to OneDrive where a Word document named “ReleaseEvans#96.docm” or similar can be downloaded. These documents contain macros that install Bumblebee, employing an unusual tactic given Microsoft’s default blocking of macros in 2022, suggesting an attempt by the attackers to circumvent the protection.

Screenshot of the malicious Word document | Image: Proofpoint 

Previously, Bumblebee malware delivery methods included direct DLL loading, embedding in HTML, and exploiting vulnerabilities, marking a departure from more modern techniques. Bumblebee had experimented with macro-containing documents in the past, though such instances only accounted for 4.3% of all recorded campaigns.

Before its hiatus in September 2023, researchers noted a new distribution method for Bumblebee, where attackers began exploiting WebDAV service vulnerabilities to bypass restrictions and deliver the loader to victims’ computers.

Although the perpetrators of the new campaign have not been definitively identified, the modus operandi strongly resembles that of the TA579 group. Experts warn that Bumblebee’s return could signal a surge in cybercrime in 2024, alongside other reactivated malware, such as Pikabot.