New Bumblebee Loader Infection Chain Signals Possible Resurgence
Essential information
- Published
- 21/10/2024 10:59
- Modified
- 21/10/2024 11:24
- Tags
- 2024-10-21 bumblebee cobalt strike darkgate icedid in-memory execution infection chain latrodectus lnk loader msi phishing pikabot stealth
- Related entities
- 11 observables, 8 techniques (mitre), 6 malware
Description
A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike beacons and ransomware. The infection likely begins with a phishing email containing a ZIP file with an LNK file. When executed, it triggers a series of events to download and execute the Bumblebee payload in memory. The new approach uses MSI files disguised as Nvidia and Midjourney installers, employing a stealthier method to avoid creating new processes and writing the payload to disk. This technique differs from previous campaigns and demonstrates the evolving tactics of the threat actors behind Bumblebee.