Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that’s under active development.
“Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favoured other malware,” enterprise security firm Proofpoint said in a report shared with The Hacker News.
Campaigns distributing the new highly sophisticated loader are said to have commenced in March 2022, while sharing overlaps with malicious activity leading to the deployment of Conti and Diavol ransomware, raising the possibility that the loader could act as a precursor for ransomware attacks.
“Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns,” the researchers said.
Besides featuring anti-virtualization checks, Bumblebee is written in C++ and is engineered to act as a downloader for retrieving and executing next-stage payloads, including Cobalt Strike, Sliver, Meterpreter, and shellcode.
images from Hacker News