More threat actors linked to TrickBot, IcedID, and BazarLoader have been leveraging the Bumblebee malware loader in an effort to facilitate network breaches, reports The Hacker News.
Cybereason researchers noted that Active Directory had been controlled by attackers leveraging Bumblebee which had secured stolen credentials from a user with elevated privileges.
"The time it took between initial access and Active Directory compromise was less than two days. Attacks involving Bumblebee must be treated as critical, [...] and this loader is known for ransomware delivery," said Cybereason.
Initially discovered by Google's Threat Analysis Group in March, Bumblebee has been distributed through phishing emails with an attachment or link redirecting to a malicious archive, according to a Cybereason report.
"The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file," said researchers.
After launching the Bumblebee loader from the LNK file, the malware loader then proceeds to establish persistence, reconnaissance, privilege escalation, and credential theft efforts, while also deploying a Cobalt Strike simulation framework to facilitate lateral network movement.
This week, Dr. Doug raves about: 'The Orgy of the Walking Dead' or Elon is controlling my brain, Schoolyard Bully, Redigo, DuckLogs, Dod Alphabet soup, Sirius XM, Pixel Tracking, TSA, Single Sign-on rants, and more on the Security Weekly News!
Novel DuckLogs malware-as-a-service detailed More than 6,000 victims have been compromised by the new DuckLogs malware-as-a-service operation, whose platform is being leveraged by over 2,000 cybercriminals, according to BleepingComputer.
BleepingComputer reports that Redis servers that remain unpatched to CVE-2022-0543 are being compromised with the novel Go-based Redigo malware, which is not yet detected on VirusTotal antivirus engines.