CyberWire Daily - The return of a malware menace. [Research Saturday]
Episode Date: March 2, 2024This week we are joined by, Selena Larson from Proofpoint, who is discussing their research, "Bumblebee Buzzes Back in Black." Bumblebee is a sophisticated downloader used by multiple cybercriminal th...reat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing. After a four month hiatus, Proofpoint researchers found that the downloader returned. Its return aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware. The research can be found here: Bumblebee Buzzes Back in Black Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Yeah, so Bumblebee is a pretty interesting malware.
It's a downloader that is used by multiple cybercrime threat actors.
And it really used to be a favorite payload from around March 2022 through October 2023.
But then it kind of just fell out of our visibility, really disappeared from the threat landscape.
So we went from a lot of Bumblebee to basically none of it.
That's Selena Larson.
She's a senior threat intelligence analyst at Proofpoint.
The research we're discussing today is titled Bumblebee Buzzes Back in Black.
And on February 8th, we actually identified a new campaign that reappeared delivering the Bumblebee payload.
So it's really interesting to kind of see this reappearance from a malware that was pretty popular and then kind of fell out of favor.
Well, let's go back and spend some time on the original Bumblebee.
I mean, what was that about? What were its capabilities and who was it targeting? So Bumblebee is a fairly sophisticated downloader that is used by
cybercrime actors to install additional payloads. So it can be used to deliver, for example,
Cobalt Strike, which might lead to ransomware or other malicious payloads. And it's part of
the malware family that kind of replaced
Baza Loader. For those of you who have been following the e-crime landscape for a little bit,
in 2022, Baza Loader just kind of went off the landscape and was replaced by Bumblebee.
And so Bumblebee was used by a number of what we would consider initial access brokers. So
oftentimes these actors use malware that will then lead to follow-on ransomware
activity. And Bumblebee is part of that sort of family of initial access broker malware. You have
things like Iced ID, Qbot, RIP Qbot, or not. Other types of malware that's often used to install
ransomware. So it's pretty interesting to see it kind of pop back up on the threat landscape.
And in this particular campaign, it wasn't using the TTPs that we had seen previously.
So why do you suppose that it had dropped off the radar for several months?
That's a good question. We can't say with high confidence why it sort of disappeared. And I do
want to point out that that was from our visibility, so email threat data. So it's entirely
possible that there was activity that we just weren't seeing or weren't aware of.
But as far as we know, it wasn't widely used to the extent that it had been previously.
However, this disappearance did align with a number of other types of malware or threat actors kind of dropping off activity a little bit. Typically over the winter timeframe, starting in November, kind of going especially
through December and January, you see cyber criminals in the cyber crime landscape kind of
ease up a little bit. So oftentimes threat actors will take breaks. Sometimes this aligns with
Russian Orthodox holidays, suggesting potentially where the threat actors might be celebrating
holidays, taking vacations, kind of the same way that we do here in the U.S.
And what we saw kind of across the landscape was this sort of decrease or drop off during those months.
So Bumblebee fell off a little bit earlier, kind of back in October was 2023 was the last appearance in our threat data.
But it did kind of coincide with this sort of overall slump
of cyber criminal threat activity.
And its return, interesting enough,
also coincided with a return to activity
from a lot of cyber criminal threat actors.
So it kind of came back on the scene at the same time
or around the same time as a lot of some of the other
popular cybercrime activity
that we've been tracking.
That is interesting.
Well, let's talk about the campaign
that you saw gear up here in February.
What is the process here that they're doing their thing?
Yeah, so we saw it came in via email
and the sender purported to send something
that was related to a voicemail.
And it says, hey, you have a missed voicemail call from this individual. Click to listen to
the voicemail. If the user clicked on that link, it was a OneDrive URL. And then this led to a
Word document, which I thought was kind of interesting because the Word document didn't
really align with a voicemail theme. The Word document looked like it was this personal electronics company branded document,
whereas the lore itself was a voicemail.
So that initially I thought was a little bit weird.
But then the Word document itself actually used macros
to lead to the installation of the Bumblebee malware
via various scripts to actually install Bumblebee.
Now, you all point out in your research
that this is a little unusual, the use of these macros.
Yeah, so macro-enabled documents,
whether attached directly to email
or part of the overall attack chain,
have really dropped off since Microsoft
began disabling macros downloaded from the internet by default.
That was back in 2022.
So throughout 2023, the use of macros significantly decreased.
But if you look at Bumblebee campaigns specifically, we had seen nearly 230 campaigns,
and only five of those used any sort of macro-laden content.
And four of them used Excel 4 macros.
This one in particular used VBA macros.
So those were using like Excel documents versus Word documents.
So if you look at kind of the overall scope of macro use in attack chains and even kind of narrowing just on the scope of Bumblebee, it was super unusual to see.
It was super unusual to see.
And if we look at the e-crime landscape overall and this pivot away from macro-enabled documents
to deliver malware,
fundamentally, they just don't really work anymore.
It is possible to sort of enable them.
And if a user is very convinced
that they have to use these macros,
there's ways to kind of do it.
But for the most part,
disabling macros downloaded from the internet by default really put a wrench in pretty much the entire e-crime landscape. So we don't really see them all that much anymore. So their appearance in this particular campaign was pretty interesting.
We'll be right back.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Yeah, it's interesting to me. I mean, when you look at, as you pointed out, you know, the
kind of disconnect between the initial lure of a missed voicemail that goes to a Word document that doesn't really have anything to do with a voicemail,
and then you combine that with the use of macros, which, as you point out, are a bit outdated,
it makes me wonder, you know, is this campaign being run by the interns, right?
Well, so that's actually a good question, right?
If we're thinking about from the attribution perspective,
there were some characteristics of the campaign
that appeared to align with a threat actor
that we call TA579.
But the other parts and characteristics
in the attack chain and the use of macros
and all that didn't align.
So while some of it seemed maybe familiar,
we did not attribute this campaign to a known threat actor
just because so many of the characteristics were so different.
Right now, we are in a time of experimentation
for cybercriminal threat actors.
There's a lot of changes going on in the attack chain,
a lot of trying new techniques,
a lot of using different file types, using URLs to various file types, using different scripting files, kind of chaining things together, even using, you know, the use of various CVEs and attack chains.
It's this kind of crazy wild west of cybercrime.
And although we didn't necessarily attribute this campaign to a specific thought actor, I think it kind of speaks to the overall climate where thought actors are trying new things that maybe some of, from the defense perspective, might make us kind of scratch our heads and be like, oh, why is this happening? This is kind of weird. But, you know, they are trying to see what works and what they can get people to, you know, do and ultimately lead to malware installation. But when you say people are trying things, is that more than usual? I mean,
are you saying there's been an uptick in clever ways to see if you can get around things?
Yeah, I would say so. I think the overall trend of iteration in attack chains and the time between new attack chains has definitely
like decreased. Like the tempo, operational tempo and the changes, the amount of changes
have increased and the time between threat actors doing things and making changes has decreased.
So it's interesting from our perspective, right? Like we saw the changes kind of begin after Microsoft disabled macros by default.
And there was a wave of OneNote files, for example.
And then there was this wave of LNKs.
And then there was this wave of ISO and.rar files
that kind of bypassed the mark of the web attributes.
And then it kind of fractured
where the landscape and various
actors across the landscape started kind of doing their own thing. So right now it's not so much
kind of this whole wave that all of the actors kind of follow and everyone's kind of trying the
same thing. What we're seeing now is a little bit, everyone's kind of trying things differently.
And I think especially some of the major initial access broker players that we track, some of the sort of large e-crime families that do deliver payloads that could potentially lead to ransomware, are the ones that are doing the most.
They're the ones that appear to have the time, resources, capabilities, the operations level to try new things and switch things up.
and switch things up.
And what that ends up doing is forces defenders,
forces detection engineers,
forces those of us who are tracking these actors to make our own changes to defend against it.
So it's been really interesting kind of seeing that happen
and seeing the changes go.
It's been a prolonged timeline,
I think, that we're seeing a lot of this.
It certainly started early 2023,
but what's really occurred now is just constant change and lots of different and new techniques, which we might not have seen previously or weren't necessarily expecting.
So, getting back to this specific campaign, ultimately, what does it look like thereafter here?
And ultimately, what does it look like they're after here?
So we only know that they were attempting to install the Bumblebee downloader.
It's likely that they were trying that they would use that to download additional malware,
potentially leading to ransomware.
But I can't say with high confidence what the ultimate objective of this particular campaign was.
Gotcha.
Well, what are your recommendations then?
I mean, how do folks best go about protecting themselves?
Yeah, that's a great question. I mean, from a fundamental perspective, right, like social
engineering is still the way that people, the bad guys are trying to get people to engage with
content or, you know, click on something malicious, download something malicious. And I think being
wary of that and mindful of the different social engineering techniques, really popular lures. I
mean, this one in particular, a voicemail theme, we've seen that with a number of different actors and clusters kind of using that sort of voicemail
theme. I think, you know, to your point earlier, it's kind of interesting that, you know, this
document didn't really match what the initial email lure was. And so that's a kind of a key
thing that people can think about and look into. But also, you know, understanding sort of like
defense in depth, right? And just being mindful
of some of the decisions
that you're making
from a security perspective
of like, okay,
so let's say if this does happen
and someone clicks on it,
what then?
Like, are there critical tools
and controls in place
to prevent this type of activity
from happening?
In this particular case,
you know, the macros
downloaded from the internet
by default might not be
the most effective way from a threat actor perspective.
But, you know, let's say if there was an actor that was delivering something via JavaScript, dropping a JavaScript file, ensuring that the end user, if they do click on it, it opens in a text file.
So, you know, setting kind of rules within your organization to really ensure defense in depth.
So even if something does go wrong, there are catches in place to make sure that it doesn't go farther. Yeah, it's a really good point. I mean, as you say, I mean, even if the
whole notion of using macros isn't terribly effective right now, you still have a user
who's clicking on links, right, to get you to that point. So you just need to be prepared, I guess.
Yeah, and I think, you know, as we're kind of talking about the changes in the attack chains overall, there's also the mindful fact of social engineering.
So the social engineering has to get better because people are having to click on more stuff in order to get to the payload.
So the attack chains are a little bit longer.
Click-to-install macros, this one-click red button, deliver malware, just doesn't really work anymore. And so the attack
chains are getting longer, meaning the social engineering and the initial sort of email or
whatever the initial attack chain is, has to get a little bit more clever to further entice people
to click on that stuff. So I think from a social engineering perspective, definitely training users, making sure that they're mindful and aware of the very common
techniques that are being used by these threat actors, including what the attachments are,
what the attack chains look like, what types of files are they using, and how can we add
certain restrictions or rules in place within an organization to prevent exploitation if,
unfortunately, a user might fall for something.
Our thanks to Selina Larson from Proofpoint for joining us. The research is titled Bumblebee
Buzzes Back in Black. We'll have a link in the show notes. Selena Larson is also the host of the Discarded podcast.
You should check that out.
It's worth your time.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Thank you. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karpf.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.