Bumblebee: Cyber Extortionists Rely On New Malware To Spread Ransomware

Symantec has analyzed a new form of malware that has become a key component in ransomware attacks. Researchers found links between the malware, called Bumblebee, and the Conti, Mountlocker and Quantum ransomware groups.

“Bumblebee’s connections to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cybercrime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team.

The way Bumblebee is being used by cyber extortionists was discovered by Symantec researchers when they examined recent attacks using the Quantum ransomware. According to the report, the attacks begin with phishing emails to which an ISO file has been attached. This file hides the loader Bumblebee, which in turn is executed on a victim’s computer if the attachment is opened.

Bumblebee replaces Trickbot

Bumblebee then sets up a backdoor through which an attacker can take complete control and execute commands. They use these capabilities to infiltrate Cobalt Strike, which is actually a legitimate pentest tool. It extends access to the system

Only after that, according to the researchers, Bumblebee is used to install the actual Quantum ransomware and encrypt all files on the victim’s system. Similar techniques would be used for the Conti and Mountlocker campaigns. “Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader, as there is some overlap between recent activity with Bumblebee and older attacks associated with those loaders,” Symantec added.

“Any organization that detects a Bumblebee infection on its network should treat this incident as a high priority, as it could be the pathway to multiple dangerous ransomware threats,” Symantec warned. Companies should, among other things, protect user accounts with two-factor authentication and apply available security patches in a timely manner to prevent potential ransomware attacks.