More threat actors linked to TrickBot, IcedID, and BazarLoader have been leveraging the Bumblebee malware loader in an effort to facilitate network breaches, reports The Hacker News.
Cybereason researchers noted that Active Directory had been controlled by attackers leveraging Bumblebee which had secured stolen credentials from a user with elevated privileges.
"The time it took between initial access and Active Directory compromise was less than two days. Attacks involving Bumblebee must be treated as critical, [...] and this loader is known for ransomware delivery," said Cybereason.
Initially discovered by Google's Threat Analysis Group in March, Bumblebee has been distributed through phishing emails with an attachment or link redirecting to a malicious archive, according to a Cybereason report.
"The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file," said researchers.
After launching the Bumblebee loader from the LNK file, the malware loader then proceeds to establish persistence, reconnaissance, privilege escalation, and credential theft efforts, while also deploying a Cobalt Strike simulation framework to facilitate lateral network movement.
BleepingComputer reports that more than 12 million Android devices have collectively downloaded 18 malicious loan apps dubbed "SpyLoan," which could exfiltrate not only call logs, local Wi-Fi network information, and image metadata but also text messages, location information, and contact lists.
Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news