Bumblebee malware returns to target hundreds of firms

The researchers began observing a campaign in which “several thousand emails” were being sent to different organizations in the United States. The emails were part of a phishing campaign whose goal was to get the victims to download and run a Word file hosted in a OneDrive folder.

Macros in Office documents

Although benign on the surface (it impersonated the Humane company that is developing and selling a smart wearable device), the Word file was weaponized through a malicious macro. The macro, after a few steps, downloaded and executed Bumblebee, a malicious loader that’s used to drop additional payloads on the compromised endpoints.

While Proofpoint wasn’t able to confidently attribute the campaign to any particular threat actor, it did say that it somewhat aligns with previous activities from the TA579 group. It also said that two other groups, TA576 and TA866, both recently emerged after “months-long gaps in activity”, hinting that they, too, might be behind this campaign.

Whoever the perpetrator is, one thing is certain - Bumblebee can be used to deploy ransomware.

Proofpoint also notices that the attackers opted for a macro-themed attack, which is somewhat unusual given that Microsoft effectively killed off the method two years ago. 

Back in 2022, Microsoft started blocking macros in files downloaded from the internet by default, forcing the majority of threat actors to pivot to different techniques. One of the methods that emerged since then is the use of shortcut files instead of Word documents. One of their greatest advantages is the ability to change the icon’s appearance, which the hackers used to trick people into thinking they were running a .PDF file.

More from TechRadar Pro

• Microsoft Office is finally making this vital security change across Excel, Word and more
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now