Threat actors associated with BazarLoader, TrickBot and IcedID malware are now seen deploying the loader known as Bumblebee to breach networks and conduct post exploitation activities.
The majority of the Bumblebee infections spotted reportedly started by end-users executing LNK files which use a system binary to load the malware.
After infiltrating a system, Bumblebee operators then reportedly conducted intensive reconnaissance activities and redirected the output of executed commands to files for exfiltration.
The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement.The time it took between initial access and Active Directory compromise was less than two days.
The Bumblebee malware loader was first discovered by Google TAG in March 2022. It owes the name to its user agent, dubbed ‘Bumblebee,’ which is used as part of the communication with the C2.
The research comes from the Cybereason Global Security Operations Center team.
Indicators of Compromise