Bumblebee Malware Loader’s Payloads Significantly Vary by Victim System

A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems.

On systems that appear to be part of a domain — for example, systems that might share the same Active Directory server — the malware is programmed to drop sophisticated post-exploitation tools such as Cobalt Strike. On the other hand, when Bumblebee determines it has landed on a machine that is part of a workgroup — or peer-to-peer LAN — the payload generally tends to be banking and information stealers.

Different Malware

“While the victim’s geographical location didn’t seem to have any effect on the malware behavior, we observed a very stark difference between the way Bumblebee behaves after infecting machines,” Check Point said in a report this week based on a recent analysis of the malware.

“If the victim is connected to WORKGROUP, in most cases it receives the DEX command (Download and Execute), which causes it to drop and run a file from the disk,” Check Point said. However, if the system is connected to an AD domain, the malware uses Download and Inject (DIJ) or Download shellcode and Inject (SHI) commands to download advanced payloads such as Cobalt, Strike, Meterpreter, and Silver.

Check Point’s analysis adds to the growing volume of research around Bumblebee in the six months or so since researchers first observed the malware in the wild. The malware has garnered attention for several reasons. One of them is its relatively widespread use among multiple threat groups. In an April 2022 analysis, researchers from Proofpoint said they had observed at least three distinct threat groups distributing Bumblebee to deliver different second-stage payloads on infected systems, including ransomware such as Conti and Diavol. Google’s threat analysis group identified one of the actors distributing Bumblebee as an initial access broker they are tracking as “Exotic Lily.”

Proofpoint and other security researchers have described Bumblebee as being used by threat actors previously associated with BazaLoader, a prolific malware loader that among other…