Photo by Sora Shimazaki
The notorious Bumblebee malware has resurfaced in the cyber threat landscape in the latest campaign using VBA macros to spread after being dormant for about four months.
Cybersecurity researchers from Proofpoint detected the malware and published a report. Bumblebee is recognised as a sophisticated downloader by experts and has been a favourite of multiple cybercriminals actors since its initial appearance in March 2022.
In the latest campaign, Proofpoint observed a surge in several thousand emails targeting organisations in the United States. These emails, with the subject ‘Voicemail February,’ purportedly originated from ‘info@quarlessa[.]com’ and contained OneDrive URLs.
The URLs led recipients to a Word file, often named ‘ReleaseEvans#96.docm,’ where the digits preceding the file extension varied. The Word document, cleverly spoofing the consumer electronics company Humane, employed macros to execute a script in the Windows temporary directory.
The macro created a script using the content of CustomDocumentProperties Special Props, Special Props1, Special Props2, and SpecialProps3, subsequently executing the dropped file using ‘Wscript.’ Inside the temporary file was a PowerShell command responsible for downloading and executing the next stage from a remote server, stored in the file ‘updarte_ver.’
In this next stage, another PowerShell command eventually downloaded and ran the Bumblebee DLL.
The researchers found an intriguing detail about this new campaign. What sets this campaign apart is the use of VBA macro-enabled documents, a departure from the trend where most cybercriminal threat actors have moved away from such macros. Since 2022, Microsoft’s default blocking of macros caused a shift in attack strategies, favouring more conventional file types and techniques, making the resurgence of macro-laden content intriguing.
Moreover, this campaign’s attack chain diverges significantly from previous Bumblebee campaigns. Unlike past instances, this campaign utilises OneDrive URLs, emphasising the adaptability and evolution of cyber threats.
Researchers are refraining from attributing this campaign to any threat actor. However, the voicemail lures theme, OneDrive URLs, and sender address bear resemblance to previous TA579 activities, according to Proofpoint.
The researchers also believe that the Bumblebee loader could serve as an initial access facilitator, delivering subsequent payloads, potentially including ransomware.
In the News: Revenge RAT spread camouflaged by legitimate tools
