Bumblebee malware loader emerges • The Register

A sophisticated malware loader dubbed Bumblebee is being used by at least three cybercriminal groups that have links to ransomware gangs, according to cybersecurity researchers.

Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol. The emergence of Bumblebee coincides with the swift disappearance of BazarLoader in recent weeks, according to researchers with security firm Proofpoint.

The researchers note that BazarLoader’s disappearance occurred about the same time a Ukrainian researcher with access to Conti’s operations – and apparently angry with Kremlin-linked Conti’s public support for Russia’s invasion of Ukraine – started leaking information from the organization, including its ties with BazarLoader.

In February, Conti reportedly took over the operation of the TrickBot botnet gang that developed BazarLoader. Researchers with both Proofpoint and Cybereason found code similarities between Bumblebee and TrickBot’s malware.

Bumblebee, like BazarLoader, likely is used to gain initial access to vulnerable systems and networks. The bad actors then sell that access to other cybercriminals who deliver their malicious payloads into the compromised environments.

Google’s Threat Analysis Group (TAG) wrote in March about a threat group called Exotic Lily. The ad giant’s infosec researchers said Exotic Lily has links to Conti and Diavol, and used Bumblebee to launch large-scale phishing campaigns to gain initial access.

This week Proofpoint and Cybereason observed that, while there are strong overlaps with TrickBot’s code, Bumblebee has unique features and stronger anti-detection tools.

“From a threat research perspective, what makes this malware interesting is the fact that it was associated with the Conti ransomware group as one of the group’s…