A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike beacons and ransomware. The infection likely begins with a phishing email containing a ZIP file with an LNK file. When executed, it triggers a series of events to download and execute the Bumblebee payload in memory. The new approach uses MSI files disguised as Nvidia and Midjourney installers, employing a stealthier method to avoid creating new processes and writing the payload to disk. This technique differs from previous campaigns and demonstrates the evolving tactics of the threat actors behind Bumblebee. Author: AlienVault
Related Tags:
in-memory-execution
infection-chain
T1553.002
T1218.010
LATRODECTUS
T1218.007
IcedID – S0483
Bumblebee – S1039
Cobalt Strike – S0154
Associated Indicators:
D1CABE0D6A2F3CEF5DA04E35220E2431EF627470DD2801B4ED22A8ED9A918768
2BCA5ABFAC168454CE4E97A10CCF8FFC068E1428FA655286210006B298DE42FB
C26344BFD07B871DD9F6BD7C71275216E18BE265E91E5D0800348E8AA06543F9
D3F551D1FB2C307EDFCEB65793E527D94D76EBA1CD8AB0A5D1F86DB11C9474C3
106C81F547CFE8332110520C968062004CA58BCFD2DBB0ACCD51616DD694721F
0AB5B3E9790AA8ADA1BBADD5D22908B5BA7B9F078E8F5B4E8FCC27CC0011CCE7
http://193.242.145.138/mid/w1/Midjourney.msi
http://193.176.190.41/down1/nvinstall.msi
193.176.190.41