Some interesting and disturbing changes are afoot in the hacking world. It appears that the TrickBot gang is now working for the Conti Syndicate. TrickBot is a well-known group of botnet developers responsible for the creation of the BazarLoader. BazarLoader has been used by Conti in the past as their delivery system of choice when it comes to delivering ransomware as part of one of their sophisticated phishing campaigns.
Now though, the Conti Syndicate has a new tool at their disposal. A newly developed malware loader dubbed Bumblebee. Eli Salem is a seasoned malware reverse engineer at Cyberreason. Salem says that the techniques used by Bumblebee are similar to those used by BazarLoader. This suggests that they were developed by the same team, which points the way back to TrickBot.
So TrickBot’s developers made a new toy for the Conti Syndicate. Since Bumblebee became available, security researchers at Proofpoint and other organizations have been seeing evidence that other groups are switching away from BazarLoader and IcedID (also highly similar) in preference for Bumblebee.
Although similar in its overall structure to BazarLoader, Bumblebee appears to be a more advanced version.
It can support a wide range of commands, including but not limited to:
- Shi: shellcode injection
- Dij: DLL injection in the memory of other processes
- Dex: Download executable
- dl: uninstall loader
- And Ins: enable persistence via a scheduled task for a Visual Basic Script that loads Bumblebee
Worse is that there is clear evidence that Bumblebee is being actively developed and gains new features and capabilities with every update.
As of the update observed on April 19th, for example, the malicious code now supports multiple command-and-control servers. The development team has recently added an encryption layer that makes it more difficult to track communications to and from the command-and-control server.
What this means in terms of the bigger picture is anyone’s guess. It seems clear that there’s a growing level of cooperation and coordination in the hacking world lately, and that should scare just about everyone.
