February 13, 2024

Summary

Today, Proofpoint announced that they began seeing attacks using Bumblebee Malware on February 8^th, 2024 after being absent from the threat landscape for several months. In the most recent campaign, US companies were targeted with an email containing the subject of “Voicemail February” from info@quarlessa[.]com. These attacks contain OneDrive URLs that lead to a Word file with variations of names like “ReleaseEvans#96.docm” while spoofing the Consumer Electronics company Humane.

Severity

5ironCyber considers this a serious threat. 

Actions Taken

• For Managed Email Gateway clients, we have added info@quarlessa[.]com to your organizational block list.
• For Managed EDR clients, available hashes have been added to the threat intelligence to your EDR platform.
• For Managed Firewall clients, associated URLs and IPs have been added to the 5iTiD rules to ensure they will be blocked.
• This is an emerging threat, 5ironCyber is actively monitoring the situation and adding data to our threat feeds as they become available.

Recommendation

5ironCyber recommends blocking the sender of the current campaign in your email gateway and adding the IOCs to your EDR and firewall platforms that are not managed by us.

Sources

• https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black