Bumblebee Malware

    Date: 06/10/2025

    Severity: Medium

    Summary

    Our team observed the reappearance of Bumblebee malware in the cybercriminal landscape on February 8, 2024, following a four-month absence. Bumblebee is a sophisticated downloader favored by various cybercriminal actors since its initial emergence in March 2022, remaining active until October 2023. In the February 2024 campaign, we detected thousands of phishing emails targeting U.S.-based organizations. These messages, sent from "info@quarlesaa[.]com" with the subject line "Voicemail February," included OneDrive URLs that linked to malicious Word documents named in a format such as "ReleaseEvans#96.docm" (with varying digits). The documents were crafted to impersonate the consumer electronics company Humane.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy

    https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW

    http://213.139.205.131/update_ver

    http://213.139.205.131/w_ver.dat

    q905hr35.life

    IP Address

    49.13.76.144

    Hash

    0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf

    86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e

    2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f

    c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "q905hr35.life" or siteurl like "q905hr35.life" or url like "q905hr35.life" or domainname like "https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy" or siteurl like "https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy" or url like "https://1drv.ms/w/s!At-ya4h-odvFe-M3JKvLzB19GQA?e=djPGy" or domainname like "http://213.139.205.131/update_ver" or siteurl like "http://213.139.205.131/update_ver" or url like "http://213.139.205.131/update_ver" or domainname like "https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW" or siteurl like "https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW" or url like "https://1drv.ms/w/s!AuSuRB5deTxugQ-83_HzIqbBWuE1?e=9f2plW" or domainname like "http://213.139.205.131/w_ver.dat" or siteurl like "http://213.139.205.131/w_ver.dat" or url like "http://213.139.205.131/w_ver.dat"

    Detection Query 2 : 

    dstipaddress IN ("49.13.76.144") or srcipaddress IN ("49.13.76.144")

    Detection Query 3 :

    sha256hash IN ("c34e5d36bd3a9a6fca92e900ab015aa50bb20d2cd6c0b6e03d070efe09ee689a","0cef17ba672793d8e32216240706cf46e3a2894d0e558906a1782405a8f4decf","86a7da7c7ed5b915080ad5eaa0fdb810f7e91aa3e86034cbab13c59d3c581c0e","2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f")

    Reference:    

    https://www.csk.gov.in/alerts/Bumblebee_malware.html 

    https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black


    Tags

    MalwareBumblebeePhishingCSK - IndiaUnited States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags