In a surprising development, Bumblebee Malware (a popular malware downloader) has resurfaced with an approach that was believed to be long gone: VBA macro-enabled documents.
This comes just four months after Europol dismantled various trick bots—including Bumblebee, IcedId, Pikabot, TrickBot and systemBC—during a crackdown called Operation Endgame.
1. The problem
Cybersecurity experts note that Bumblebee is once again engaged in malicious activities, marking a notable shift back to macros when many cybercriminals have moved to less detectable methods. The decline of macro usage began after Microsoft blocked them by default in 2022, leading criminals to explore other strategies like exploiting file vulnerabilities and using URLs to deliver payloads.
Bumblebee’s return to macros highlights the evolving nature of cyber threats and serves as a reminder for individuals and organizations to stay vigilant against these renewed tactics.
2. The attack
Historically, attackers would predominantly disseminate malware through phishing emails containing malicious links or HTML attachments.
Recent iterations, however, demonstrate a significant evolution in tactics—albeit with a mundane delivery method. This recent attack involved an email designed to entice recipients into downloading a seemingly innocuous ZIP file.
This ZIP file, upon extraction, contained a shortcut that executes PowerShell commands to facilitate the download of a malicious MSI file, which is disguised as a legitimate software update.
Within the package, a shortcut labeled Report-41952.lnk is responsible for triggering PowerShell to download a concealed MSI file (y.msi) that masquerades as either a legitimate NVIDIA driver update or a Midjourney installer.
The execution of this file occurs silently via msiexec.exe with the /qn option, employing the SelfReg table to load the DLL directly into memory. This approach effectively avoids the execution of this file occurs silently via msiexec.exe with the /qn option, employing the SelfReg table to load the DLL directly into memory. This approach effectively avoids the creation of new processes and initiates Bumblebee’s unpacking procedure.
This evolution in attack strategy underscores the need for heightened awareness and robust security measures to combat increasingly sophisticated cyber threats.
3. What have cybersecurity experts noted?
Researchers noted that this MSI file is then executed without user interaction through msiexec.exe, ensuring a stealthy operation.
The payload is designed to exploit the SelfReg table within the MSI structure, significantly reducing the risk of detection. Upon execution, the DLL is loaded into memory, paving the way for Bumblebee to take hold.
Indicators of compromise
|
Indicator |
Description |
|
hxxps[:]//1drv[.]ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy |
Example URL in email |
|
hxxps[:]//1drv[.]ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW |
Example URL in email |
|
0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf |
SHA256 of example Word document downloaded from OneDrive |
|
86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e |
SHA256 of example Word document downloaded from OneDrive |
|
2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f |
SHA256 script (by Word macro) in %TEMP% folder |
|
hxxp[:]//213[.]139.205.131/update_ver |
URL used by script in %TEMP% folder to download next stage |
|
hxxp[:]//213[.]139.205.131/w_ver.dat
|
URL used by second stage PowerShell to download Bumblebee DLL |
|
c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a |
SHA256 of the w_ver.dll file (Bumblebee) |
|
q905hr35[.]life |
Active Bumblebee C2 domain on Feb 8 |
|
49.13.76[.]144:443 |
Active Bumblebee C2 IP on Feb 8 |
4. How can ManageEngine save you from attacks?
We can help by empowering you with the right tools to combat these and any other malicious malware out there. How? Well, ManageEngine EventLog Analyzer stands out as a powerful ally for organizations, equipped with sophisticated event correlation and threat analytics capabilities.
EventLog Analyzer is a security information and event management (SIEM) solution that excels at detecting, alerting on, and preventing a wide range of cyber threats, including malware like Bumblebee.
When the event correlation tool detects an unusual pattern—such as a series of failed login attempts followed by a successful access from an malicious IP address—it raises a red flag, signaling a potential compromise of user credentials.
It also tracks atypical user behaviors, like the sudden creation of new accounts or login attempts during odd hours, scrutinizing thesedeviations as possible signs of infiltrating malware.
Its cross-device correlation is akin to weaving a complex tapestry of information, revealing sophisticated, multi-vector attacks that Bumblebee might employ to exfiltrate confidential data or spread through the network undetected.
Picture it as a vigilant detective, meticulously examining logs from a multitude of devices—from firewalls and routers to servers and workstations.
Threat analytics
EventLog Analyzer’s threat analytics module is the superhero of cybersecurity, expertly detecting threats while reducing false positives—a must when tackling malware like Bumblebee.
It also monitors malicious IPs and includes Dark Web scanning, which can identify instances of data breaches involving specific domains that are configured within the product. This configuration is done by setting up and registering the domains of interest in the EventLog Analyzer interface. Once configured, the product continuously monitors these domains for any suspicious activity, alerting security teams if signs of a potential data breach are detected.
When trouble strikes, automated workflows spring into action, blocking malicious IPs quickly.
Check out EventLog Analyze to learn more.
