Research Saturday 3.2.24
Ep 319 | 3.2.24

The return of a malware menace.


Dave Bittner: [Music] Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Selena Larson: Yeah, so Bumblebee is a pretty interesting malware. It's a downloader that is used by multiple cybercrime threat actors, and it really used to be a favorite payload from around March 2022 through October 2023, but then it kind of just fell out of our visibility, really disappeared from the threat landscape. So we went from a lot of Bumblebee to basically none of it.

Dave Bittner: That's Selena Larson. She's a senior threat intelligence analyst at Proofpoint. The research we're discussing today is titled "Bumblebee Buzzes Back in Black." [ Music ] And on February 8th, we actually identified a new campaign that reappeared delivering the Bumblebee payload. So it's really interesting to kind of see this reappearance from a malware that was pretty popular and then kind of fell out of favor. Well, let's go back and spend some time on the original Bumblebee. I mean, what was that about? What were its capabilities and who was it targeting?

Selena Larson: So Bumblebee is a fairly sophisticated downloader that is used by cybercrime actors to install additional payloads. So it can be used to deliver, for example, Cobalt Strike, which might lead to ransomware or other malicious payloads. And it's part of the malware family that kind of replaced Baza Loader. For those of you who have been following the e-crime landscape for a little bit, in 2022, Baza Loader just kind of went off the landscape and was replaced by Bumblebee. And so Bumblebee was used by a number of what we would consider initial access brokers. So oftentimes, these actors use malware that will then lead to follow-on ransomware activity. And Bumblebee is part of that sort of family of initial access broker malware. You have things like ICED-ID, Qbot, RIPQbot or not. [Laughing] Other types of malware that's often used to install ransomware. So it's pretty interesting to see it kind of pop back up on the threat landscape. And in this particular campaign, it wasn't using the TTPs that we had seen previously.

Dave Bittner: So why do you suppose that it had dropped off the radar for several months?

Selena Larson: That's a good question. We can't say with high confidence why it sort of disappeared. And I do want to point out that that was from our visibility, so email threat data. So it's entirely possible that there was activity that we just weren't seeing or weren't aware of. But as far as we know, it wasn't widely used to the extent that it had been previously. However, this disappearance did align with a number of other types of malware or threat actors kind of dropping off activity a little bit. Typically over the winter time frame, starting in November, kind of going especially through December and January, you see cybercriminals in the cybercrime landscape kind of ease up a little bit. So oftentimes, threat actors will take breaks. Sometimes this aligns with Russian Orthodox holidays, suggesting, you know, potentially where the threat actors might be celebrating holidays, taking vacations, kind of the same way that we do here in the US. And what we saw kind of across the landscape was this sort of decrease or drop off during those months. So Bumblebee fell off a little bit earlier, kind of back in October was, 2023 was the last appearance in our threat data. But it did kind of coincide with this sort of overall slump of cybercriminal threat activity. And its return, interesting enough, also coincided with a return to activity from a lot of cybercriminal threat actors. So it kind of came back on the scene at the same time or around the same time as a lot of some of the other popular cybercrime activity that we've been tracking.

Dave Bittner: You know, that is interesting. Well, let's talk about the campaign that you saw gear up here in February. What is the process here that they're doing their thing?

Selena Larson: Yeah. So we saw, it came in via email, and the sender purported to send something that was related to a voicemail. And it says, you know, hey, you have a missed voicemail call from this individual. Click to listen to the voicemail. If the user clicked on that link, it was a OneDrive URL. And then this led to a Word document, which I thought was kind of interesting because the Word document didn't really align with a voicemail theme. Like the Word document looked like it was this, you know, personal electronics company branded document, whereas the lure itself was a voicemail. So that initially I thought was a little bit weird. But then the Word document itself actually used macros to lead to the installation of the Bumblebee malware via various scripts to actually install Bumblebee.

Dave Bittner: Now, you all point out in your research that this is a little unusual, the use of these macros?

Selena Larson: Yeah. So macro-enabled documents, whether attached directly to email or part of the overall attack chain, have really dropped off since Microsoft began disabling macros downloaded from the Internet by default. That was back in 2022. So throughout 2023, the use of macros significantly decreased. But if you look at Bumblebee campaigns specifically, we had seen nearly 230 campaigns, and only five of those used any sort of macro-related content, and four of them used Excel 4 macros. This one in particular used VBA macros. So those were using like Excel documents versus Word documents. So if you look at kind of the overall scope of macro use in attack chains, and even kind of narrowing just on the scope of Bumblebee, it was super unusual to see. And if we look at the e-crime landscape overall, and this pivot away from macro-enabled documents to deliver malware, fundamentally, they just don't really work anymore. It is possible to sort of enable them. And, you know, If a user is very convinced that they have to, you know, use these macros, there's ways to kind of do it. But for the most part, disabling macros downloaded from the Internet by default really put a wrench in pretty much the entire e-crime landscape. So we don't really see them all that much anymore. So their appearance in this particular campaign was pretty interesting. [ Music ]

Dave Bittner: We'll be right back. [ Music ] Yeah, it's interesting to me. I mean, when you look at, as you pointed out, you know, the kind of disconnect between the initial lure of a missed voicemail that goes to a Word document that doesn't really have anything to do with a voicemail, and then you combine that with the use of macros, which, as you point out, are a bit outdated, it makes me wonder, you know, is this campaign being run by the interns, [laughter] right? [ Laughter ]

Selena Larson: Well, so that's actually a good question, right? If we're thinking about from the attribution perspective, there were some characteristics of the campaign that appeared to align with a threat actor that we call TA579. But the other parts and characteristics in the attack chain and the use of macros and all that didn't align. So while some of it seems maybe familiar, we did not attribute this campaign to a known threat actor just because so many of the characteristics were so different. Right now, we are in a time of experimentation for cybercriminal threat actors. There's a lot of changes going on in the attack chain, a lot of trying new techniques, a lot of using different file types, using URLs to various file types, using different scripting files, kind of chaining things together. Even, using, you know, the use of various CVEs and attack chains. It's this kind of crazy Wild West of cybercrime. And although we didn't necessarily attribute this campaign to a specific threat actor, I think it kind of speaks to the overall climate where threat actors are trying new things that maybe some of from the defense perspective might make us kind of scratch our heads and be like, oh, why is this happening? This is kind of weird. But, you know, they are trying to see what works and what they can get people to, you know, do and ultimately lead to malware installation.

Dave Bittner: But when you say "people are trying things," is that more than usual? Are you saying there's been an uptick in clever ways to see if you can get around things?

Selena Larson: Yeah, I would say so. I think the overall trend of iteration and attack chains and the time between new attack chains has definitely like decreased. Like, the tempo, operational tempo and the changes, the amount of changes have increased. And the time between threat actors doing things and making changes has decreased. So it's interesting from our perspective, right? Like, we saw the changes kind of begin after Microsoft disabled macros by default. And there was a wave of OneNote files, for example. And then there was this wave of LNKs. And then there was this wave of ISO and.rar files that kind of bypassed the mark of the web attributes. And then it kind of fractured where the landscape and various actors across the landscape started kind of doing their own thing. So right now it's not so much kind of this whole wave that all of the actors kind of follow and everyone's kind of trying the same thing. What we're seeing now is a little bit everyone's kind of trying things differently. And I think especially some of the major initial access broker players that we track, some of the sort of large e-crime families that do deliver payloads that could potentially lead to ransomware are the ones that are doing the most. They're the ones that appear to have the time, resources, capabilities, the operations level to try new things and switch things up. And what that ends up doing is forces defenders, forces detection engineers, forces those of us who are tracking these actors to make our own changes to defend against it. So it's been really interesting kind of seeing that happen and seeing, you know, the changes go. It's been a prolonged timeline I think that we're seeing a lot of this. It's certainly started, you know, early 2023, but what's really occurred now is just constant change and lots of different and new techniques, which we might not have seen previously or weren't necessarily expecting.

Dave Bittner: So I mean, getting back to this specific campaign, ultimately, what does it look like they're after here?

Selena Larson: So we only know that they were attempting to install the Bumblebee Downloader. It's likely that they were trying -- that they would use that to download additional malware, potentially leading to ransomware. But I can't say with high confidence what the ultimate objective of this particular campaign was.

Dave Bittner: Gotcha. Well, what are your recommendations then? I mean, how do folks best go about protecting themselves?

Selena Larson: Yeah, that's a great question. I mean, from a fundamental perspective, right, like social engineering is still the way that people, the bad guys are trying to get people to engage with content or, you know, click on something malicious, download something malicious. And I think being wary of that and mindful of the different social engineering techniques, really popular lures. I mean, this one in particular, a voicemail theme, we've seen that with a number of different actors and clusters kind of using that sort of voicemail theme. I think, you know, to your point earlier, it's kind of interesting that, you know, this document didn't really match what the initial email lure was. And so that's a kind of a key thing that people can think about and look into. But also, you know, understanding sort of like defense in depth, right? And just being mindful of some of the decisions that you're making from a security perspective of like, okay, so let's say if this does happen and someone clicks on it, what then? Like, are there critical tools and controls in place to prevent this type of activity from happening? In this particular case, you know, the macros downloaded from the Internet by default might not be the most effective way from a threat actor perspective. But, you know, let's say if there was an actor that was delivering something via JavaScript, dropping a JavaScript file, ensuring that the end user, if they do click on it, it opens in a text file. So, you know, setting kind of rules within your organization to really ensure defense in depth. So even if something does go wrong, there are catches in place to make sure that it doesn't go farther.

Dave Bittner: Yeah, it's a really good point. I mean, it's, as you say, I mean, even if the whole notion of using macros isn't terribly effective right now, you still have a user who's clicking on links, right, to get you to that point. So you just need to be prepared, I guess.

Selena Larson: Yeah. And I think, you know, as we're kind of talking about the changes in the attack chains overall, there's also the mindful fact of social engineering, right? So the social engineering has to get better because people are having to click on more stuff in order to get to the payload, right? So the attack chains are a little bit longer. Click-to-install macros, this one-click, red button, deliver malware, just doesn't really work anymore. And so the attack chains are getting longer, meaning the social engineering and the initial sort of email or whatever the initial attack chain is has to get a little bit more clever to further entice people to click on that stuff. So I think from a social engineering perspective, definitely training users, making sure that they're mindful and aware of the very common techniques that are being used by these threat actors, including what the attachments are, what [music] the attack chains look like, what types of files are they using, and how can we add, you know, certain restrictions or rules in place within an organization to prevent exploitation if unfortunately, a user might fall for something. [ Music ]

Dave Bittner: Our thanks to Selena Larson from Proofpoint for joining us. The research is titled, "Bumblebee Buzzes Back in Black." I have a link in the show notes. Selena Larson is also the host of the Discarded podcast. You should check that out. It's worth your time. [ Music ] The CyberWire Research Saturday podcast is a production of N2K Networks. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Karp. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]