A sophisticated malware loader dubbed Bumblebee is being used by at least three cybercriminal groups that have links to ransomware gangs, according to cybersecurity researchers.

Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol. The emergence of Bumblebee coincides with the swift disappearance of BazarLoader in recent weeks, according to researchers with security firm Proofpoint.

The researchers note that BazarLoader’s disappearance occurred about the same time a Ukrainian researcher with access to Conti’s operations – and apparently angry with Kremlin-linked Conti’s public support for Russia’s invasion of Ukraine – started leaking information from the organization, including its ties with BazarLoader.

In February, Conti reportedly took over the operation of the TrickBot botnet gang that developed BazarLoader. Researchers with both Proofpoint and Cybereason found code similarities between Bumblebee and TrickBot’s malware.

Bumblebee, like BazarLoader, likely is used to gain initial access to vulnerable systems and networks. The bad actors then sell that access to other cybercriminals who deliver their malicious payloads into the compromised environments.

Google’s Threat Analysis Group (TAG) wrote in March about a threat group called Exotic Lily. The ad giant’s infosec researchers said Exotic Lily has links to Conti and Diavol, and used Bumblebee to launch large-scale phishing campaigns to gain initial access.

This week Proofpoint and Cybereason observed that, while there are strong overlaps with TrickBot’s code, Bumblebee has unique features and stronger anti-detection tools.

“From a threat research perspective, what makes this malware interesting is the fact that it was associated with the Conti ransomware group as one of the group’s threat loaders,” Eli Salem, malware researcher and threat hunter at Cybereason, wrote in a blog post.

Like a bad penny

Proofpoint threat researchers Kelsey Merriman and Pim Trouerbach reported they’ve seen Bumblebee used in three malicious email campaigns to drop Cobalt Strike, Silver and Meterpreter frameworks – tools used by security teams in organizations for training and penetration testing, but since weaponized by attackers. The loader has also been used to deploy shellcode, which hackers use to exploit vulnerabilities in software.

“The threat actors have used multiple techniques to deliver Bumblebee,” they wrote. “While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week.”

In March, Proofpoint saw an email campaign using a DocuSign lure to entice victims into downloading a malicious ISO file housed in Microsoft’s OneDrive personal cloud storage service. The email also contained an HTML attachment that was made to look like an email containing an unpaid invoice. Both paths led to Bumblebee.

The campaign was run by the threat group TA579, which Proofpoint has tracked since August 2021. TA579 has been observed using the BazarLoader and IcedID loaders in previous campaigns.

August 2021 saw another campaign, wherein emails were generated by submitting a message to a contact form on the target organization’s website claiming that stolen images were contained on the site. The message included a link to a landing page that directed the victim to download an ISO file containing copies of the stolen images.

Proofpoint linked another group, TA578, to this campaign. TA578 has been around since at least May 2020 and has used BazarLoader, IcedID, Cobalt Strike, Ursnif, KPOT Stealer and Buer Loader.

The researchers this month observed a campaign that delivered emails that appeared to be replies to existing and legitimate email conversations and also included malicious zipped ISO attachments. The Proofpoint researchers said they are highly confident “based on malware artefacts” that “all the tracked threat actors using Bumblebee are receiving it from the same source.”

The loader is unusual in that most of it is pulled together into a single function. Most malware breaks out initialization, request sending and response handling into different functions. In addition, its configuration is stored in plaintext, though the Proofpoint researchers expect obfuscation features will be used in the future.

Bumblebee includes sophisticated techniques to evade detection and appears to be early in its development. It has added techniques like anti-virtual machine and anti-sandbox checks over the past month, and more recently added an encryption layer to its network communications routines, plus checks that detect whether malware analysis tools are being used. ®