Bumblebee alert: Malware now targets WebDAV folders

Il loader known as Bumblebee he returned from his “summer vacation” and showed up again after two months of inactivity.

However, the new campaign that exploits this malicious agent acts differently than in the past. On this occasion, in fact, the malware exploits distribution techniques that abuse services WebDAV e 4shared. In the past, Bumblebee itself has become very well known among cyber experts as it was exploited by ransomware groups such as Conti e Akira.

WebDAV (Web Distributed Authoring and Versioning) is an extension of protocollo HTTP which allows clients to perform remote operations such as creating, accessing, updating, and deleting web server content.

The researchers of Intel471 report that Bumblebee’s latest campaign, which began on September 7, 2023, abuses 4shared WebDAV services to deploy its loader and carry out all activities related to the infection. The abuse of the 4shared platform, a legitimate file hosting service provider, helps the operators behind the malware evade the blocklist and operate in total freedom.

Bumblebee returns from vacation proposing a new and fearsome infection technique

At the same time, the WebDAV protocol offers several ways to bypass detection systems based on anomalous behavior analysis and the added benefit of simplified deployment.

The current Bumblebee campaign is based on emails from spam which pretend to be invoices and various financial notifications complete with malicious attachments.

Most of the latter are LNK filebut there are also some ZIP archives containing LNK files. For experts, this variety of attachments demonstrates how cybercriminals are experimenting with different solutions to refine the campaign.

Opening the LNK file launches a series of commands on the victim’s computer, starting with one to upload a WebDAV folder to a network drive using hardcoded credentials for a 4shared storage account.

Intel471 reports that it has noticed that threat actors are experimenting with different methods of stealing information e file from compromised computers, using the WebDAV folder to accumulate data.


Please enter your comment!
Please enter your name here