Attacks deploying the Bumblebee malware loader — linked to Trickbot developers and leveraged to deploy information-stealing and ransomware payloads — have been discovered more than four months after the disruption of the botnet.
The Bumblebee malware loader was identified alongside the IcedID, Trickbot, Pikabot, SystemBC, and SmokeLoader malware loaders as part of the international law enforcement effort Operation Endgame, BleepingComputer reports.
Threat actors behind the latest intrusions delivered phishing emails with a malicious ZIP archive, which when executed, prompts the download of a malicious NVIDIA driver update or Midjourney installer-spoofing .MSI file, according to a Netskope analysis.
Stealthy execution of the file would be followed by the exploitation of the MSI structure's SelfReg table to load a DLL, which would eventually result in Bumblebee malware loader delivery in memory. Further analysis of the reemergent Bumblebee loader showed "NEW_BLACK" string utilization of the configuration decrypting RC4 key, as well as the presence of the new "msi" and "lnk001" campaign IDs, but no details about the payloads injected by Bumblebee were provided.
