Security News > 2022 > September > Bumblebee malware adds post-exploitation tool for stealthy infections
A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory.
As Bumblebee is an evolved loader with advanced anti-analysis and anti-detection features, it was assumed that it would replace other loaders, such as BazarLoader, in initial compromise attacks followed by ransomware deployment.
The second stage features the same obfuscation as the first and contains the PowerSploit module to load the 64-bit malware into the memory of the PowerShell process using reflective injection.
"PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process," explains Cyble in the report.
With the new loading flow, Bumblebee loads from memory and never touches the host's disk, thus minimizing the chances of being detected and stopped by anti-virus tools.
By increasing its stealthiness, Bumblebee becomes a more potent initial access threat and increases its chances of enticing ransomware and malware operators looking for ways to deploy their payloads.