After a two-month hiatus, the malicious bootloader Bumblebee has resumed its activity. According to researchers from Intel471, the campaign now exploits WEBDAV services on the 4SHared hosting platform. This platform was previously mentioned in a 2016 Government report as a service for hosting copyright-violating materials. By utilizing 4SHARED, Bumblebee operators not only benefit from the platform’s reliable infrastructure but also evade detection and blocking.
The integration with the WebDav protocol, which extends the capabilities of standard HTTP, empowers attackers with various methods to bypass behavioral analysis systems. It also facilitates the spread of malware and allows for a change in attack type after the initial infection.
In this campaign, Bumblebee operators heavily rely on fraudulent emails as their primary method for luring victims. These emails are disguised as scans, account notifications, and other enticing messages. The majority of these malicious emails contain LNK extension files, although ZIP archives with the same files are sometimes used. It appears that attackers are experimenting with different delivery methods to determine the most effective way to deliver harmful code.
Upon opening the LNK file, the victim’s computer activates a series of commands. This attack process begins with the connection of WebDav packs to the network disk. For this step, the code utilizes preconfigured account data to access the cloud storage on 4SHARED. The subsequent actions involve downloading, extracting, and executing malicious elements.
The updated Bumblebee bootloader now operates on the TCP protocol, indicating that its creators have abandoned the previous websocket. Additionally, Bumblebee now utilizes an algorithm that automatically generates approximately 100 Internet domains in the .life zone. This algorithm relies on a 64-bit static “seed” as the basis for generating network addresses. These changes make it more difficult to block and disable the program’s infrastructure.
Bumblebee has previously been associated with the distribution of ransomware such as Conti and Akira. Its return, accompanied by advanced spreading methods and evasion techniques, poses a significant threat. With the introduction of an algorithm for generating domains and the use of the TCP protocol for communication with control servers, the Bumblebee bootloader becomes even more unpredictable and resistant to countermeasures.