The malware loader known as Bumblebee is being increasingly co-opted by threat actors

guest · Aug 18, 2022

Hackers Using Bumblebee Loader to Compromise Active Directory Services
August 18, 2022

The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities.

"Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and Alon Laufer said in a technical write-up.
Bumblebee first came to light in March 2022 when Google's Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed Exotic Lily with ties to the TrickBot and the larger Conti collectives.
Click to expand...

Typically delivered via initial access acquired through spear-phishing campaigns, the modus operandi has since been tweaked by eschewing macro-laced documents in favor of ISO and LNK files, primarily in response to Microsoft's decision to block macros by default.

"Distribution of the malware is done by phishing emails with an attachment or a link to a malicious archive containing Bumblebee," the researchers said. "The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file."
Click to expand...

Also employed during the attack is the Cobalt Strike adversary simulation framework upon gaining elevated privileges on infected endpoints, enabling the threat actor to laterally move across the network. Persistence is achieved by deploying AnyDesk remote desktop software.
Click to expand...

Cybereason: THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control

KEY FINDINGS

User-Driven Execution: The majority of the infections with Bumblebee we have observed started by end-users executing LNK files which use a system binary to load the malware. Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee.

Intensive Reconnaissance and Data Exfiltration: Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.

Active Directory Compromise: The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement. The time it took between initial access and Active Directory compromise was less than two days.

Under Active Development: Cybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors.

Click to expand...

Critical Severity: Attacks involving Bumblebee must be treated as critical. Based on GSOC findings, the next step for the threat actors is ransomware deployment, and this loader is known for ransomware delivery.

Cybereason Managed Detection and Response (MDR): The Cybereason GSOC team has a zero-tolerance policy towards attacks involving Bumblebee and any other loader, and categorizes such attacks as critical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to customers when such an incident occurs. The report provides an in-depth overview of the incident, which helps to understand the scope of the compromise and the impact on the customer’s environment. These reports also provide attribution information whenever possible, as well as recommendations for threat mitigation and isolation.

Click to expand...

guest · Sep 8, 2022

Bumblebee malware adds post-exploitation tool for stealthy infections
By Bill Toulas @billtoulas - September 8, 2022

A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory.

Bumblebee was discovered in April, involved in phishing campaigns believed to be orchestrated by the same actors behind BazarLoader and TrickBot, i.e., the Conti syndicate.
Bumblebee's distribution rate reached notable levels in the ensuing months, yet the new loader never became dominant in the field.
Click to expand...

According to a report by Cyble, based on a finding by threat researcher Max Malyutin, the authors of Bumblebee are preparing a comeback from the summer hiatus of spam operations, using a new execution flow.
Execution from memory
Previously, Bumblebee reached victims via emails carrying password-protected zipped ISO files that contained an LNK (for executing the payload) and a DLL file (the payload).

Instead of executing Bumblebee (DLL) directly, the LNK now executes "imagedata.ps1," which launches a PowerShell window and hides it from the user by abusing the 'ShowWindow' command.
Click to expand...

The second stage features the same obfuscation as the first and contains the PowerSploit module to load the 64-bit malware (LdrAddx64.dll) into the memory of the PowerShell process using reflective injection.

"PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process," explains Cyble in the report.
With the new loading flow, Bumblebee loads from memory and never touches the host's disk, thus minimizing the chances of being detected and stopped by anti-virus tools.
Click to expand...

By increasing its stealthiness, Bumblebee becomes a more potent initial access threat and increases its chances of enticing ransomware and malware operators looking for ways to deploy their payloads.
Click to expand...

Cyble: Bumblebee Returns With New Infection Technique

Bumblebee, a recently developed malware loader, has quickly become a key component in a wide range of cyberattacks, besides replacing the existing BazarLoader. In an attempt to stay a step ahead of cybersecurity entities, Threat Actors (TAs) are constantly adapting new techniques and continuously monitoring to stay updated on the defense mechanisms employed by enterprises. Similarly, TAs behind the sophisticated Bumblebee loader keep updating its capabilities in order to strengthen its evasive maneuvers and anti-analysis tricks.

CRIL has been closely monitoring the Bumblebee malware group and other similar TA groups for a better understanding of their motivations and keeping our readers well-informed on the latest cybercrime news and cybersecurity challenges.
Click to expand...

EASTER · Sep 8, 2022

Slippery sneaky computer system harasser's- We'll see about that

Previously, Bumblebee reached victims via emails carrying password-protected zipped ISO files that contained an LNK (for executing the payload) and a DLL file (the payload).

Instead of executing Bumblebee (DLL) directly, the LNK now executes "imagedata.ps1," which launches a PowerShell window and hides it from the user by abusing the 'ShowWindow' command.
Click to expand...

wat0114 · Sep 8, 2022

Quoted from the posted link:

The initial infection starts with a spam email that has a password-protected attachment that contains a .VHD (Virtual Hard Disk) extension file.
Click to expand...

This is where the end user potential target victim needs a little bit of self education: why open this kind of attachment in the first place??

Some nice security utilities to aid in blocking this attachment in case of a click-happy target:

OSArmor: Block execution of .ps1 (PowerShell) scripts

Hard_Configurator: Block Sponsors->PowerShell.exe & LNK designated file types except in whitelisted locations.

Note that antivirus is not necessarily required to prevent this exploit from executing in the first place.

Log in or Sign up

The malware loader known as Bumblebee is being increasingly co-opted by threat actors

guest Guest

guest Guest

EASTER Registered Member

wat0114 Registered Member

Log in or Sign up

The malware loader known as Bumblebee is being increasingly co-opted by threat actors

guest Guest

guest Guest

EASTER Registered Member

wat0114 Registered Member

Useful Searches