Buzz Off or Buzz On? Bumblebee Malware Swarm Targets U.S. Orgs with Phishing Sting

Beware of bumbling Bumblebee malware buzzing back, phishing for a frenzy in the US. It’s no honey of a deal—just cybercrime getting back to business!

Hot Take:

Looks like Bumblebee’s back from sabbatical, and it’s brought souvenirs for thousands of organizations: phishing campaigns dressed as voicemails. Who knew malware needed a vacay? Maybe it just wanted to avoid the holiday email rush. But now, it’s primed to make 2024 the year of the cyber headache. Dust off those cybersecurity protocols, folks, it’s going to be a bumpy ride!

Key Points:

  • Bumblebee malware is buzzing again, targeting U.S. organizations with phishing campaigns pretending to be voicemails.
  • The malware, believed to be a pet project of the Conti and Trickbot family, is a notorious loader for nastier payloads like ransomware.
  • Despite Microsoft’s macro-blocking party, Bumblebee is still slipping through with VBA macros, because who doesn’t love a throwback?
  • The return marks a shift in technique, possibly aiming for the cyber equivalent of low-hanging fruit (outdated systems, anyone?).
  • Meanwhile, the cybercrime job market is booming as other malware try to fill the shoes of the disrupted QBot.
Cve id: CVE-2023-38831
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 10/23/2023
Cve description: RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Need to know more?

Voicemail Deceit Deluxe

Imagine checking your inbox and finding a voicemail notification from "info@quarlessa[.]com." Nope, it's not your long-lost auntie; it's Bumblebee in disguise, complete with a OneDrive URL and a document that screams "I'm not a macro, I swear." The document is like a Trojan horse's less sophisticated cousin, running a script to eventually download Bumblebee's DLL. And you thought voicemails were annoying before.

Macro Mania Throwback

Despite Microsoft's best efforts to slam the door on macros, Bumblebee is knocking with its VBA macro-laden documents. It's like malware's tribute to the '90s, but instead of frosted tips, we get a script file in the Windows temp folder. Perhaps Bumblebee is feeling nostalgic, or maybe it's just targeting that one office still running Windows 95.

Back to Malware School

Before its little hiatus, Bumblebee was all about innovation, using HTML smuggling and exploiting the hottest new vulnerabilities. Now, it's back to basics, maybe to stay under the radar or perhaps it's just part of its New Year's resolution to simplify. Either way, it's diversifying like a Wall Street portfolio.

The Cybercrime Job Fair

With QBot out of the picture, there's a gap in the malware market. Enter DarkGate, Pikabot, and Bumblebee, ready to hand out their resumes. They're spreading through phishing, malvertising, and even hitting up your Skype and Microsoft Teams. Cybercriminals are nothing if not resourceful. And with Bumblebee now back on the scene, they're probably throwing a welcome-back party (BYOB - Bring Your Own Botnet).

Pikabot's Simplified Comeback

Not to be outdone, Pikabot's also making a comeback with a less complex version. Maybe it's following the Marie Kondo method—keeping only what sparks cyber-joy. But don't let the simplicity fool you; it's still malware, eager to mess up your day and your data.

Tags: Bumblebee Malware, Cobalt Strike beacons, Cybercrime Trends, malware loader, phishing campaigns, Ransomware Attacks, VBA macros