Conti’s BazarLoader Replaced with Bumblebee Malware

Bumblebee, a freshly uncovered malware loader, is most probably the Conti syndicate’s latest creation, aimed to replace the BazarLoader backdoor leveraged for ransomware payloads delivery purposes.

According to researchers, the appearance of Bumblebee in phishing attempts in March coincided with a decrease in the use of BazarLoader for distributing file-encrypting malware.

The TrickBot botnet developers created BazarLoader to gain access to victim networks for ransomware assaults. Apparently, TrickBot is working for Conti at the present moment.

According to BleepingComputer, Google’s Threat Analysis Group said in a March report on a threat actor known as ‘Exotic Lily’ that gave early access for Conti and Diavol ransomware operations that the attacker started dropping Bumblebee instead of the normal BazarLoader malware to deploy Cobalt Strike.

How Bumblebee Works

The deployment mechanisms for Bumblebee are the same as for BazarLoader and IcedID, both of which have been detected in the past delivering Conti ransomware, according to Eli Salem, lead threat hunter, and malware reverse engineer at Cybereason.

Proofpoint claims to have discovered various email campaigns spreading Bumblebee within ISO attachments containing shortcut and DLL files, according to a study recently released.

A DocuSign document lure was used in one effort, which lead to a

Read More: