The Bumblebee malware used by cybercriminals to deliver Cobalt Strike beacons and ransomware was observed in an infection chain for the first time since Operation Endgame, a May 2024 Europol operation that disrupted Bumblebee and other malware botnets such as IcedID and Pikabot.
In an Oct. 18 blog post, Netskope Threat Labs researchers said they found a new Bumblebee malware infection chain. While the infection chain to deliver the final payload has been widely used, it was the first time it was deployed by Bumblebee.
The researchers said the emergence of a new infection chain could indicate a resurgence of the Bumblebee malware.
Google’s Threat Analysis Group first discovered the malware in March 2022 and named it Bumblebee based on a user-agent string the malware used. Believed by security researchers to be the creation of TrickBot developers, Bumblebee emerged as a replacement for the BazarLoader backdoor for ransomware distribution.
The Netskope researchers said the infection starts via a phishing email that lures a victim to download a ZIP file and extract and execute the file inside it. The ZIP file contains an LNK file (a shortcut) named “Report-41952.lnk” that, once executed, starts a chain to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk as observed in previous campaigns.
Callie Guenther, senior manager of cyber threat research at Critical Start, said the re-emergence of Bumblebee after Europol’s Operation Endgame demonstrates the adaptability of the group believed responsible for its development.
“Despite law enforcement efforts to disrupt their activities, the actors quickly reintroduced Bumblebee, indicating well-prepared contingency plans,” said Guenther, an SC Media columnist. “The use of established tactics linked to the former TrickBot developers suggests continued alignment with their known techniques for evading detection and deploying payloads.”
Guenther said security teams should consider the following steps:
