Operators of the Bumblebee malware loader have launched a new campaign involving the exploitation of 4shared Web Distributed Authoring and Versioning services following a two-month hiatus, according to BleepingComputer.
Malspam emails purporting to be invoices, scans, and notifications that mostly include Windows LNK files have been leveraged by attackers to facilitate the campaign, with the LNK file triggering a series of commands beginning with the mounting of a WebDAV folder on a network drive of the targeted machine, a report from Intel471 revealed. Aside from looking to achieve attack chain optimization through various file copy mounting and file extraction techniques, threat actors have also moved to update the Bumblebee loader, which has been found to use TCP for communicating with the command-and-control server, as well as the domain generation algorithm for generating domains on the top-level domain space. Researchers noted that new DGA implementation further hinders Bumblebee domain blocking and disruption efforts.