Bumblebee

Malware updated 3 months ago (2024-05-30T12:17:38.030Z)

Download STIX

Preview STIX

Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The same values for self-signed certificates seen in Bumblebee have also been observed in HTTPS C2 traffic by other malware families. Over the past year, these crypters have been used on the same initial access malware previously used during ITG23 attacks. Between May 27 and 29, 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers including Bumblebee. The malware was typically initiated through shortcut files like "DOCUMENT.LNK", "neqw.dll", or "ATTACHME.LNK" which, when executed, started the Bumblebee downloader. Out of nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros. Previous Bumblebee campaigns leveraged emails with zipped, password-protected VBS attachments which, if executed, used PowerShell to download and execute the loader, or emails that contained zipped LNK files to download an executable file that started Bumblebee. Some campaigns sent emails that contained URLs leading to the download of a DLL which, if executed, started Bumblebee. Researchers have urged organizations to be alert for these malicious email campaign hallmarks and have assessed with high confidence that Bumblebee is being used as an initial access facilitator to deliver follow-on payloads such as ransomware.

Description last updated: 2024-05-30T12:16:30.473Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Loader

Ransomware

Malware Loader

Exploit

Cobalt Strike

Payload

Phishing

Botnet

Downloader

Proofpoint

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
IcedID	Unspecified	7	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
QakBot	Unspecified	4	Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
TrickBot	Unspecified	4	TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
Bazarloader	Unspecified	3	BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Conti	has used	3	Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
Hive	Unspecified	2	Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated
Smokeloader	Unspecified	2	Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'
Diavol	Unspecified	2	Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt ope
Truebot	Unspecified	2	Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Raspberry Robin	Unspecified	2	Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obs
Meterpreter	Unspecified	2	Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a
Pikabot	Unspecified	2	PikaBot is a malicious software (malware) known for providing initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft. It's part of an array of malware families such as IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others, which have been
Anchor	Unspecified	2	Anchor is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites, and can lead to theft of personal information, disruption of operations, or even ransom attacks on data. Anchor has been

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-38831	Unspecified	2	CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
CVE-2022-31199	Unspecified	2	CVE-2022-31199 is a critical remote code execution (RCE) vulnerability discovered in Netwrix Auditor, a widely-used software for on-premises and cloud-based IT system auditing. This flaw in the software's design or implementation allows cyber threat actors to exploit it and gain unauthorized access

Source Document References

Information about the Bumblebee Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	3 months ago	3rd June – Threat Intelligence Report - Check Point Research
BankInfoSecurity	3 months ago	European Police Take Down Botnet Servers, Make Arrests
Securityaffairs	3 months ago	Operation Endgame, the largest law enforcement operation ever against botnets
DARKReading	7 months ago	Bumblebee Malware Buzzes Back on the Scene After 4-Month Hiatus
MITRE	9 months ago	Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
SecurityIntelligence.com	10 months ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU	10 months ago	The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
CERT-EU	a year ago	Qakbot Hackers Delivering Ransomware Despite FBI Takedown
CERT-EU	a year ago	New ASMCrypt malware loader detailed
CERT-EU	a year ago	RagnarLocker Ransomware, LokiLocker Ransomware, and More: Hacker’s Playbook Threat Coverage Round-up: September 27th, 2023
Securityaffairs	a year ago	Security Affairs newsletter Round 438 by Pierluigi Paganini
CERT-EU	a year ago	Bumblebee Malware Abuses WebDAV Protocol to Attack Organizations
CERT-EU	a year ago	Bumblebee Loader Resurfaces in New Campaign
CERT-EU	a year ago	3 Malware Loaders Detected in 80% of Attacks: Security Firm
CERT-EU	a year ago	More sophisticated Rilide stealer version emerges
CERT-EU	a year ago	New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3
CERT-EU	a year ago	New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3
InfoSecurity-magazine	a year ago	New WikiLoader Malware Goes to Extreme Lengths to Hide
CERT-EU	a year ago	Truebot RCE attacks exploit critical Netwrix Auditor bug
CERT-EU	a year ago	Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks