Bumblebee is a recently developed malware loader but has become a favorite among cybercriminals. Symantec researchers found that the Bumbleebee loader has replaced quite a few old loaders. The tool has been connected to various ransomware operations.

Diving into details

  • Bumblebee has been linked to ransomware operations by Conti, Quantum, and Mountlocker, which signifies that the malware is now at the forefront of the ransomware ecosystem. 
  • The researchers, moreover, suspect that the loader may have been used as a replacement for BazarLoader and Trickbot, provided the overlaps in the recent activity involving Bumblebee. 

Why this matters

  • The transition of malware operators to Bumblebee was pre-planned and performed by established actors, owing to its replacing several other loaders.
  • It provides threat actors with a backdoor into the target system, allowing them to take control and run commands. 
  • A version of AdFind, a publicly available tool for querying Active Directory, used in the latest Bumblebee attacks was used alongside Cobalt Strike to deploy the Avaddon ransomware, in May 2021.
  • The same AdFind variant was used in an attack, this year in May, alongside AnyDesk and Splashtop. Furthermore, LaZagne and Mimikatz were deployed with NetScan.

Use of legitimate tools

Apart from being connected to multiple ransomware attacks, another similarity shared between the attacks is the prevalence of legitimate software leveraged by ransomware operations. Remote desktop tools, including Atera, AnyDesk, Splashtop, and ConnectWise, are frequently used in these attacks. In addition to these, Rclone is another widely used tool for data exfiltration. For instance, AvosLocker ransomware was found using PDQ Deploy in its attacks.

The bottom line

Bumblebee’s connections with so many high-profile ransomware attacks suggest that it is at the heart of the cybercrime landscape. Symantec stated that if an organization finds a Bumblebee infection on its systems, it should be treated as a high priority since this could lead to a series of dangerous ransomware attacks.
Cyware Publisher