A large-scale phishing campaign has been identified that has already targeted many thousands of organizations in the United States and could be expanded geographically. The purpose of the campaign is to distribute Bumblebee malware, a malware loader that was first identified in 2022 and is thought to be a replacement for the widely used BazarLoader malware loader. Bumblebee malware is used for gaining initial access to networks and has been used in many successful cyberattacks. The malware is rented out to cybercriminals or access to compromised networks is sold to cybercriminal groups such as ransomware gangs. The malware has been linked to several high-profile threat actors and notorious ransomware gangs, including the now-defunct Conti ransomware group.

Over the past four months, Bumblebee malware has not been detected but it has now returned with a massive campaign. A variety of lures are used in phishing emails, which incorporate social engineering techniques to trick the recipients into downloading and executing the malware. For instance, the latest campaign included thousands of emails using the subject Voicemail February, with messages indicating the user had missed a voice call. The emails instructed the recipient to download the recording, the opening of which triggered the infection process. Other emails used in the campaign have used Word documents with malicious macros with the emails spoofing trusted companies, such as the electronics firm Humane. Rather than include the document attached to the email, a OneDrive link was provided in the email from which the document could be downloaded. This was an effort to prevent detection by email security solutions, as OneDrive is a legitimate and trusted service. Previous campaigns have used DocuSign branded emails that trick users into downloading a zipped ISO file from OneDrive.The group is known to hijack email threads to make it appear that the emails are responses to previous conversations with contacts.

Multiple threat actors are believed to rent out the malware, including the initial access brokers who work with ransomware gangs. Bumblebee malware infections are often accompanied by other payloads, including Cobalt Strike, Meterpreter, Sliver, and shellcode, and often lead to ransomware attacks. To combat Bumblebee malware infections, businesses should implement robust defenses against phishing. An advanced email security solution is required with AI and machine learning capabilities that can detect novel phishing attempts. SpamTitan Plus uses a machine learning algorithm that can identify emails that deviate from those typically received by a business, links are rewritten and followed and the destination URL is assessed. All emails are subjected to antivirus scans and suspicious attachments are sent to a Bitdefender-powered sandbox for behavioral analysis.

Security awareness training should be provided to the workforce to improve resilience to phishing attempts by teaching security best practices and how to identify phishing attempts. SafeTitan is a comprehensive security awareness training platform and phishing simulator that is updated with new content regularly in response to changing phishing tactics, including those used in Bumblebee campaigns. It is also recommended to implement multi-factor authentication on accounts, perform daily backups and store them offline, implement next-generation antivirus technology on endpoints, and implement network hierarchy protocols and network segmentation to prevent lateral movement.