Print this page

Conti has a New Toy as Bumblebee Malware Replaces BazarLoader

Rate this item
(0 votes)

Reading time is around minutes.

April must be the month for new malware tools to be released, or at least announced as we have already heard about new forms of attack/infection from the group behind Emotet and now we hear that Conti has replaced BazarLoader with new malware tracked as Bumblebee. The newly disclosed malware is also under active development with multiple new features showing up this month.

Researchers have been expecting to see a new tool from Conti for a while after integrating the TrickBot team into their regular operations. Now they are seeing the new toy showing up in phishing campaigns while the use of BazarLoader (the previous tool) has dropped off the edge of the earth. The tool, again according to current research, is the work of TrickBot developers. What is interesting from a threat landscape perspective is that the new tool was identified by multiple threat research groups and being used by more than one potential IAB as a direct replacement for BazarLoader and IcedID.

The new campaigns using BumbleBee are a bit different as well with distribution methods leveraging ISO files that contain the Bumblebee malware. Researchers have also observed the ISO files hosted inside Microsoft’s OneDrive. While the delivery method might be a bit of a departure, the lures seem to follow established lines. They entice the user with fake invoices (now often a link and not a macro pivot) and other documents that a user might be curious about opening. Researchers are relatively certain that the activity is different Initial Access Brokers that work with exiting ransomware groups.

Bumblebee itself is a very sophisticated offering that researchers say is still under active development (which makes it even more impressive). It clearly utilizes some of the same hooks and techniques as TrickBot. The developers have also incorporated anti-analysis code and even possibly some of Trusteer’s Rapport security software in the form of DLLs that match the naming convention (RapportGP.dll). Meanwhile the new malware uses a similar evasion technique for that very same software that TrickBot.

Active and rapid development efforts are nothing new and have been observed as part of normal activity. The changes and emerging tactics are interesting and do provide a window into how cybercriminal groups operate and how they evolve based on security changes and improvements in their target pool. This type of information is vital for organizations to properly plan to reduce the risk of impact as the TTPs change. The problem is that far too many organizations are not designed to make rapid changes in security tools and configurations. It leaves a window of exposure while budgets are proposed and/or change control groups debate on the need vs the risk. This window is all an attacker needs to gain their foothold and once in, well the game is on for them. Meanwhile blue and purple teams need to be right all the time while often being restricted in what they can do proactively. It is not a fun spot to be in…

Sean Kalinich

Latest from Sean Kalinich

Related items