The notorious ‘Bumblebee’ malware, known for its ransomware payload distribution, has resurfaced after a two-month hiatus, employing new tactics to exploit 4shared WebDAV services. Researchers from Intel471 have revealed this latest campaign, which began on September 7, 2023, utilizes 4shared WebDAV services for malware distribution and post-infection activities.
Furthermore, this abuse of the legitimate 4shared platform allows Bumblebee operators to evade blocklists and maintain reliable infrastructure. Simultaneously, the WebDAV protocol provides them with multiple avenues to bypass behavioral detection systems and facilitates streamlined distribution.
In this resurgence, the Bumblebee campaign relies on malspam emails posing as scans, invoices, and notifications to trick recipients into downloading malicious attachments. These attachments primarily consist of Windows shortcut LNK files, but the inclusion of ZIP archives containing LNK files indicates that Bumblebee operators are experimenting with different delivery methods.
Upon opening the LNK file, a series of commands are initiated on the victim’s machine, including the mounting of a WebDAV folder using hardcoded credentials for a 4shared storage account.
Intel471’s observations suggest that threat actors behind Bumblebee are experimenting with various methods to optimize their attack chain, from mounting file copies to extracting and executing files from the mounted drive.
Additionally, an updated version of the Bumblebee malware loader has been identified in this campaign. It has shifted from using the WebSocket protocol to TCP for command and control server (C2) communications and employs a domain generation algorithm (DGA) to generate 100 domains on the “.life” top-level domain upon execution. These changes make it more challenging to trace and disrupt Bumblebee’s infrastructure, raising concerns about its continued threat.