Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm


In March 2021, Trend Micro researchers investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. Its type of modular framework has made Trend Micro static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.

Trend Micro analysis found that BumbleBee only had little malicious code in its payload, and what it does on the surface is track keys and clipboard content. However, further investigation revealed a controller application that expands the malware’s capabilities.

This type of backdoor is similar to another of its kind called BookWorm, in which it can be inferred that BumbleBee is a refactored version of BookWorm. At the time of writing, BumbleBee has only been deployed in Taiwan; together with its use of Simplified Chinese as the language for its user interface, this malware can be suspected to be deployed by malicious Chinese actors.

Read more…
Source: Trend Micro