Threat actors are using the Bumblebee loader to compromise Active Directory services as part of post-exploitation activities.
The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network.
Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee.
After initial execution, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft.
Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
Bumblebee has been active since March 2022 when it was spotted by Google’s Threat Analysis Group (TAG), experts noticed that cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns switched to the Bumblebee loader.
