Bumblebee Malware Resumes Attacks After Hiatus Using New Phishing Tactic
-
The Bumblebee malware has resumed attacks after a 4-month break, using phishing emails pretending to be voicemail notifications to distribute the payload.
-
The phishing emails contain malicious Word docs with VBA macros that fetch and execute the Bumblebee malware. Using macros is unusual given Microsoft's macro blocking.
-
Bumblebee is a malware loader used to distribute additional payloads like Cobalt Strike, often rented out to cybercriminals.
-
The campaign shows similarities to threat actor TA579, though the exact attacker is unclear. Other actors like TA576 have also increased activity recently.
-
With QBot disrupted, other malware like DarkGate and Pikabot are attempting to fill the distribution malware gap, leveraging various infection tactics.