Bumblebee Malware Loader's Payloads Significantly Vary by Victim System

A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems.

On systems that appear to be part of a domain — for example, systems that might share the same Active Directory server — the malware is programmed to drop sophisticated post-exploitation tools such as Cobalt Strike. On the other hand, when Bumblebee determines it has landed on a machine that is part of a workgroup — or peer-to-peer LAN — the payload generally tends to be banking and information stealers.

Different Malware

"While the victim’s geographical location didn't seem to have any effect on the malware behavior, we observed a very stark difference between the way Bumblebee behaves after infecting machines," Check Point said in a report this week based on a recent analysis of the malware.

"If the victim is connected to WORKGROUP, in most cases it receives the DEX command (Download and Execute), which causes it to drop and run a file from the disk," Check Point said. However, if the system is connected to an AD domain, the malware uses Download and Inject (DIJ) or Download shellcode and Inject (SHI) commands to download advanced payloads such as Cobalt, Strike, Meterpreter, and Silver.

Check Point's analysis adds to the growing volume of research around Bumblebee in the six months or so since researchers first observed the malware in the wild. The malware has garnered attention for several reasons. One of them is its relatively widespread use among multiple threat groups. In an April 2022 analysis, researchers from Proofpoint said they had observed at least three distinct threat groups distributing Bumblebee to deliver different second-stage payloads on infected systems, including ransomware such as Conti and Diavol. Google's threat analysis group identified one of the actors distributing Bumblebee as an initial access broker they are tracking as "Exotic Lily."

Proofpoint and other security researchers have described Bumblebee as being used by threat actors previously associated with BazaLoader, a prolific malware loader that among other things masqueraded as a movie-streaming service, but which disappeared from the scene in February 2022.

A Sophisticated and Constantly Evolving Threat

Another reason for the attention that Bumblebee has attracted is what security researchers have said is its sophistication. They have pointed to its anti-virtualization and anti-sandbox checks, its encrypted network communications, and its ability to check running processes for signs of malware analysis activity. Unlike many other malware tools, the authors of Bumblebee have also used a custom packer to pack or mask the malware when distributing it, Check Point said.

Threat actors have used different tactics to deliver Bumblebee. The most common has been to embed the DLL-like binary inside an ISO or VHD — or disk image — files and deliver it via a phishing or spear-phishing email. The malware is an example of how threat actors have started using container files to deliver malware now that Microsoft has disabled Office Macros — their previous favorite infection vector — from running by default on Windows systems.

Bumblebee's constant evolution has been another point of concern. In its report this week, Check Point noted how the malware has been in "constant evolution" over the past several months. As an example, the security vendor pointed to how its authors briefly switched from using ISO files to VHD format files with a PowerShell script before switching back to ISO. Similarly, until early July, Bumblebee's command and control servers only accepted only one infected victim from that same victim IP address. "This means that if several computers in an organization accessing the internet with the same public IP were infected, the C2 server will only accept the first one infected," Check Point said.

However, the authors of the malware recently turned that feature off, meaning Bumblebee's C2 servers can now communicate with multiple infected systems on the same network. Check Point theorized the malware's authors were initially just testing the malware and have now moved past that stage.

Check Point and other vendors such as Proofpoint have made indicators of compromise available for Bumblebee to help organizations detect and block the threat in their environment.