[MART] - Daily Diary #499 - Bumblebee Malware Replaces BazaLoader in CyberAttacks

CTAS-MAT ctas-mat at appgate.com
Thu Apr 28 20:19:10 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

04/28/2022 - Diary entry #499

In our Daily Diaries #457, #271, and #131, we covered Conti Ransomware operations. Being one of the most dangerous malware currently active, Conti uses several malware pieces to launch its cyberattacks, including BazaLoader - a lightweight malware piece used as a downloader as an initial infection vector. BazaLoader is offered as a Malware-as-a-Service, having been found in campaigns from different threat actors, usually spread via spam.

Recent campaigns, disclosed this month, were found replacing BazaLoader for a new malware piece as an infection vector. Named Bumblebee, the threat targets Windows systems using a highly obfuscated DLL and advanced anti-analysis techniques. Upon execution, the binary unpacks a second-stage payload, and sets in-memory hooks to trigger an unusual execution flow to disguise the malicious functions. Bumblebee also uses code from the al-khaser project, used to detect virtualized environments and halt the execution in analysis machines and sandboxes. The malware also iterates for imported functions in the process memory, to check for hooks set by security software or analysis tools, fixing the references to avoid having its functions monitored through API hooks.

The threat actors behind Bumblebee are associated with several ransomware campaigns, and were also found delivering other threats, like IcedID (Covered in our Daily Diary #493), KPOT Stealer (Covered in our Daily Diary #146) and Cobalt Strike Beacon.

Bumblebee is a very advanced threat and a good example of the dangers of malware-as-a-service. Being a very advanced threat - and not trivial to detect - we expect Bumblebee to be adopted by many more threat actor groups.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220428/3f8e1754/attachment.htm>

More information about the MART mailing list