Bumblebee Buzzes in to Sting BazarLoader

Diving into details

• Most likely developed by the Conti gang, Bumblebee is designed to replace the BazarLoader backdoor (aka BazaLoader). 
• BazarLoader has not come under the researchers’ radar since February, which coincides with Bumblebee’s emergence.
• Several cybercriminal groups, who typically used BazarLoader in their campaign, have shifted to this new malware loader. 
• Threat actors are using various techniques to deliver this loader. Although file names, lures, and delivery methods usually differ, the campaigns share similarities such as using ISO files comprising shortcut files and DLLs. 

About Bumblebee

• The malware is in active development and possesses complex evasion techniques.
• Bumblebee utilizes asynchronous procedure call injection to initiate the shellcode once it receives commands from the C2. 
• The sophisticated downloader, furthermore, comprises anti-virtualization checks and a novel execution of common downloader functionalities. 
• It has been observed deploying shellcode, Cobalt Strike, Meterpreter, and Sliver. 

Why this matters

• The emergence of Bumblebee and its usage by multiple threat groups indicate a shift in the threat landscape. 
• With moderate confidence, the researchers analyzed that attackers using the malware loader may be initial access facilitators for ransomware actors.
• BazarLoader disappeared at the same time as Conti files were leaked online. The leaked Bumblebee files showed infrastructure related to BazarLoader.
• The latest version of the malware, found on April 19, has had major updates to it. It now supports multiple C2 via a comma-delimited list, the sleep interval now has a randomized value, and it has an encryption layer over network communications.

The bottom line