A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems.
On systems that appear to be part of a domain — for example, systems that might share the same Active Directory server — the malware is programmed to drop sophisticated post-exploitation tools such as Cobalt Strike. On the other hand, when Bumblebee determines it has landed on a machine that is part of a workgroup — or peer-to-peer LAN — the payload generally tends to be banking and information stealers.
Different Malware
“While the victim’s geographical location didn’t seem to have any effect on the malware behavior, we observed a very stark difference between the way Bumblebee behaves after infecting machines,” Check Point said in a report this week based on a recent analysis of the malware.
“If the victim is connected to WORKGROUP, in most…