Bumblebee malware returns to target hundreds of firms

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Hackers have once again started using the Bumblebee malware in their campaigns to target victims across the globe, researchers have confirmed.

In a new report, cybersecurity pros Proofpoint said that after a four-month period of inactivity, they spotted threat actors deploying this malware variant in new campaigns.

The researchers began observing a campaign in which “several thousand emails” were being sent to different organizations in the United States. The emails were part of a phishing campaign whose goal was to get the victims to download and run a Word file hosted in a OneDrive folder.

Macros in Office documents

Although benign on the surface (it impersonated the Humane company that is developing and selling a smart wearable device), the Word file was weaponized through a malicious macro. The macro, after a few steps, downloaded and executed Bumblebee, a malicious loader that’s used to drop additional payloads on the compromised endpoints.

While Proofpoint wasn’t able to confidently attribute the campaign to any particular threat actor, it did say that it somewhat aligns with previous activities from the TA579 group. It also said that two other groups, TA576 and TA866, both recently emerged after “months-long gaps in activity”, hinting that they, too, might be behind this campaign.

Whoever the perpetrator is, one thing is certain - Bumblebee can be used to deploy ransomware.

Proofpoint also notices that the attackers opted for a macro-themed attack, which is somewhat unusual given that Microsoft effectively killed off the method two years ago. 

Back in 2022, Microsoft started blocking macros in files downloaded from the internet by default, forcing the majority of threat actors to pivot to different techniques. One of the methods that emerged since then is the use of shortcut files instead of Word documents. One of their greatest advantages is the ability to change the icon’s appearance, which the hackers used to trick people into thinking they were running a .PDF file.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.