Bumblebee loader use for network breaches on the rise

More threat actors linked to TrickBot, IcedID, and BazarLoader have been leveraging the Bumblebee malware loader in an effort to facilitate network breaches, reports The Hacker News. Cybereason researchers noted that Active Directory had been controlled by attackers leveraging Bumblebee which had secured stolen credentials from a user with elevated privileges. "The time it took between initial access and Active Directory compromise was less than two days. Attacks involving Bumblebee must be treated as critical, [...] and this loader is known for ransomware delivery," said Cybereason. Initially discovered by Google's Threat Analysis Group in March, Bumblebee has been distributed through phishing emails with an attachment or link redirecting to a malicious archive, according to a Cybereason report. "The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file," said researchers. After launching the Bumblebee loader from the LNK file, the malware loader then proceeds to establish persistence, reconnaissance, privilege escalation, and credential theft efforts, while also deploying a Cobalt Strike simulation framework to facilitate lateral network movement.