Tracking Bumblebee’s Development

Back to the list of Speakers and Sessions
Watch the stream

In March 2022, a new buzz called Bumblebee appeared in the eCrime scene. This loader is built to execute tasks from its command-and-control (C2), and deliver payloads such as CobaltStrike. But its development doesn’t stop there. In the span of less than a year, Bumblebee has been through several incremental updates, to such an extent, that this malware may be one of the most actively maintained malware families out there.

This presentation aims to get a sense of the operator’s development process behind Bumbleebee – how it changes and adapts in response to current endpoint defense efforts– and how its techniques compare to other botnet families.

This presentation will touch on the following areas of the malware: 1. A brief overview of Bumblebee's execution on a system - the importance of its loader, how it executes, communicates with the C2 and the role of the hook module. 2. A chronological view of the development cycle of the malware showing features introduced in response to public reporting, testing new code implementations and refactoring. 3. Comparing Bumblebee’s choice of techniques to that of other known botnet families - the overlaps seen and assessing each techniques’ pros and cons.