Several threat groups have been leveraging the new Bumblebee malware downloader, suspected to be developed by the Conti ransomware operation, as a replacement for the BazarLoader backdoor, according to BleepingComputer.
Bumblebee, which has been found to have similar deployment tactics as BazarLoader and IcedID, is being distributed within ISO attachments in various email campaigns, one of which involved the use of a DocuSign document lure, a report from Proofpoint revealed. Also found within the malicious email was an HTML attachment spoofing an email for an unpaid invoice, with the HTML file having a URL that leveraged a Prometheus TDS-dependent redirect service.
"Proofpoint researchers attributed this campaign with high confidence to the cybercriminal group TA579. Proofpoint has tracked TA579 since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns," said researchers.
Meanwhile, another campaign spreading Bumblebee via website contact forms last month has been attributed to TA578. The report also detailed that Bumblebee utilizes TrickBot malware code and is being actively developed, with each update featuring more capabilities.
Operations of California's Solano Partner Libraries and St. Helena, or SPLASH, continue to be interrupted weeks after the county's library network was targeted by a ransomware attack earlier this month, StateScoop reports.
Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.
Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.