Cyble researchers discovered that the Bumblebee malware loader has been updated with a novel PowerSploit framework-based infection chain aimed at improving the stealth of reflective DLL payload injections to memory, according to BleepingComputer.
Victims of the new Bumblebee attack were sent emails with a password-protected Virtual Hard Disk file, instead of ISO files, with an LNK shortcut file for payload execution, the report found. The findings also showed that the LNK executes the "imagedata.ps1" file that triggers a PowerShell window, instead of directly executing Bumblebee. Base64 has been used to obfuscate the SP1 script in an effort to bypass detection. Similar obfuscation has been observed in the second stage, which involves the PowerSploit module for loading the 64-bit "LdrAddx64.dll" malware, according to researchers.
"PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system," researchers added.
Numerous fraudulent websites masquerading as legitimate software, including ChatGPT, Gimp, AstraChat, and Go To Meeting, have been used in a new RomCom malware campaign by Cuba ransomware affiliate Void Rabisu, also known as Tropical Scorpius, from December 2022 to April 2023, which was mostly targeted at Eastern Europe, according to BleepingComputer.
Numerous web browsers and cryptocurrency wallets on Windows systems are being targeted by the new Bandit Stealer information-stealing malware, which could also evade Windows Defender, and be used to facilitate data breaches, account takeovers, identity theft, and credential stuffing attacks, reports The Record, a news site by cybersecurity firm Recorded Future.