Date: 06/10/2025
Severity: Medium
Summary
Our team observed the reappearance of Bumblebee malware in the cybercriminal landscape on February 8, 2024, following a four-month absence. Bumblebee is a sophisticated downloader favored by various cybercriminal actors since its initial emergence in March 2022, remaining active until October 2023. In the February 2024 campaign, we detected thousands of phishing emails targeting U.S.-based organizations. These messages, sent from "info@quarlesaa[.]com" with the subject line "Voicemail February," included OneDrive URLs that linked to malicious Word documents named in a format such as "ReleaseEvans#96.docm" (with varying digits). The documents were crafted to impersonate the consumer electronics company Humane.
Indicators of Compromise (IOC) List
URL/Domain | https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW http://213.139.205.131/update_ver http://213.139.205.131/w_ver.dat q905hr35.life |
IP Address | 49.13.76.144 |
Hash | 0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf
86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e
2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f
c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "q905hr35.life" or siteurl like "q905hr35.life" or url like "q905hr35.life" or domainname like "https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy" or siteurl like "https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy" or url like "https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy" or domainname like "http://213.139.205.131/update_ver" or siteurl like "http://213.139.205.131/update_ver" or url like "http://213.139.205.131/update_ver" or domainname like "https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW" or siteurl like "https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW" or url like "https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW" or domainname like "http://213.139.205.131/w_ver.dat" or siteurl like "http://213.139.205.131/w_ver.dat" or url like "http://213.139.205.131/w_ver.dat" |
Detection Query 2 : | dstipaddress IN ("49.13.76.144") or srcipaddress IN ("49.13.76.144") |
Detection Query 3 : | sha256hash IN ("c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a","0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf","86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e","2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f")
|
Reference:
https://www.csk.gov.in/alerts/Bumblebee_malware.html
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black