I believe we talked about bumblebee before. It seems from proofpoint that it is back.
While the TTP’s may be different, some things that were in prior campaigns include:
- Emails that contained URLs leading to the download of a DLL which, if executed, started Bumblebee.
- Emails with HTML attachments that leveraged HTML smuggling to drop a RAR file. If executed, it exploited the WinRAR vulnerability CVE-2023-38831 to install Bumblebee.
- Emails with zipped, password-protected VBS attachments which, if executed, used PowerShell to download and execute Bumblebee.
- Emails that contained zipped LNK files to download an executable file. If executed, the .exe started Bumblebee.
This is why I think it is important to train folk that if you don’t tell them what the link is for or even what the attachment is that you are sending, we should be suspicious. I recently saw an email that went all the way back to January that had a RAR file that I tried to save and send over to Virus Total. I think that my Malwarebytes picked it off.
While this is good, it could’ve also been bad as it could’ve stayed there untouched by the program.
Remember those password protected files that claimed you needed to run it to fix something or even to look at an invoice? Those are bad too.
Out of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros.
There is no attribution at this time.
To read the entire article, Bumblebee Buzzes Back in Black which goes in to much more detail than I can, just because it isn’t my writing. The list items came from the article itself.
Happy reading!
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.