Summary
Bumblebee is a highly sophisticated downloader malware cybercriminals use to gain access to corporate networks and deliver other payloads such as Cobalt Strike beacons and ransomware. The Google Threat Analysis Group first discovered the malware in March 2022 and named it Bumblebee based on a User-Agent string it used.
The Netskope Threat Labs team discovered what seems to be a new infection chain leading to Bumblebee malware infection, and our findings corroborate those shared by other researchers.
In this blog post, we will analyze all the files involved in the chain until the execution of the Bumblebee payload.
Key findings
- This is the first occurrence of a Bumblebee campaign we have seen since Operation Endgame, an operation performed by Europol in May 2024 to disrupt the major malware botnets, such as Bumblebee, IcedID, and Pikabot.
- The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee.
- These activities might indicate the resurfacing of Bumblebee in the threat landscape.
Initial infection
The infection likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it. The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns.
LNK and powershell again?
The usage of LNK files is very common in Bumblebee campaigns, either to download the next stage payloads or to directly execute files. In this case, the file is used as a downloader and is responsible for downloading and executing the next stage of the infection chain.
Once opened, the LNK file executes a Powershell command to download an MSI file from a remote server, renames it as “%AppData%\y.msi”, and