According to cybersecurity researchers, the bumblebee loader is now a darling in the ransomware ecosystem.
A new malware is now an important component when it comes to engineering ransomware attacks. The malware, which goes by the name Bumblebee, was recently analyzed by Symantec researchers. According to the cyber security researchers, Bumblebee is linked to ransomware operations like Quantum, Conti, and Mountlocker. This link is a clear indication that Bumblebee is currently in the heart of the cybercrime community.
An attachment involving quantum has also shed some light on the way cybercriminals use this new malware to deliver ransomware. It first starts with a phishing email that contains an ISO file. This file ensures that the Bumblebee loader is hidden. It then attacks the target machine once the victim opens the email.
Bumblebee is like a backdoor that attackers use to access your PC, allowing them to run commands and take control of all other operations. Once attackers can access your PC, they can run Cobalt Strike to get more control and collect as much information as they need from your machine. This information is useful for cyber security groups to conduct any attack they intend to.
Bumble then drops the quantum ransomware payload that encrypts important files on the accessed machine.
Researchers Connect Bumblebee to Previous Attacks
According to Kamble, a principal threat analysis engineer at Symantec, Bumblebee might have been launched as a loader replacement for Trickbot and BazarLoader as there’s an overlap in recent activities with Bumblebee and earlier attacks that were linked to these loaders,
The link can be traced to using AdFind which is a public tool to query Active Directory and has been employed to attack other attackers in the past. The use of an ISO file to attack a system was the primary infection point for victims of previous attacks that date to June 2021. The file was utilized by two threat groups, Conti and Ryuk.
Damages to Expect From Bumblebee Software
Bumblebee malware functions as a downloader to run malicious code and assist in loading Meterpreter DLL injection and Cobalt Strike. The tiny size of Bumblebee will likely be a preferred multi-functional tool for cybercriminals as well as criminals.
Bumblebee is often used in fake emails like the one that was used in DocuSign’s phishing attempt to lure victims into a trap by presenting as if it was from an E-Signature Solutions firm. It may also appear as malware-laden HTML attachments or fraudulent links that take the user to the Microsoft OneDrive link that will include an ISO file that contains the Bumblebee malware as dangerous shortcuts, as well as DLLs files.
Bumblebee malware downloaders are known to hack different systems and then sell access to and information of computers that have been exploited. Similar to TrickBot, Bumblebee malware also utilizes a web-inject module and utilizes the same method of evasion.
Phishing is a frequent pattern that runs through all ransomware campaigns. In the instance outlined by researchers, it was transmitted through a phishing message. However, ransomware gangs can also employ phishing attacks to steal passwords and usernames, especially for cloud-based services and applications.
This not only allows them to gain access to networks but by having an authentic (if compromised) account, the criminal activity won’t be detected as quickly and often, it’s not until it’s late and the ransomware attack has initiated.
How Organizations Can Protect Themselves from Bumble Malware
Although ransomware remains an issue for cybersecurity professionals, however, there are ways to protect against attacks. This includes the use of the multifactor system to stop attackers from gaining access to networks and quickly implementing security patches to prevent cybercriminals from exploiting known weaknesses.
It’s equally important for businesses to be aware of their networks and look out for unusual activity because this could provide evidence that something’s not right – and security personnel can take action to stop a complete ransomware attack.
Source : HackerCombat