GEC NEWS WIRECybereason issued a global threat report warning global organizations about a rise in ransomware attacks using the Bumblebee loader. The new research focuses on the post-exploitation actions and tactics, techniques and procedures used in attacks. Interestingly, the loader became the ‘loader of choice’ for Conti Group, one of the most prolific ransomware gangs in the world.
Bumblebee was discovered in March 2022 by Google’s Threat Analysis Group and Cybereason previously reported on Bumblebee in April 2022. Cybereason is now warning global organizations that attacks involving Bumblebee must be treated as CRITICAL. Based on Cybereason’s global security operations center findings, Bumblebee has risen to become the loader of choice amongst most threat actors.
Key Findings:
- User-Driven Execution: The majority of the infections with Bumblebee we have observed started by end-users executing LNK files which use a system binary to load the malware. Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee.
- Intensive Reconnaissance and Data Exfiltration: Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
- Active Directory Compromise: The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement. The time it took between initial access and Active Directory compromise was less than two days.
- Under Active Development: Cybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors.
- Critical Severity: Attacks involving Bumblebee must be treated as critical. Based on GSOC findings, the next step for the threat actors is ransomware deployment, and this loader is known for ransomware delivery.
