Inside BumbleBee: A Malware Loader On The Rise
Research and Analysis • Aug 26, 2022
We use cookies to improve your experience. Do you accept?
Research and Analysis • Aug 26, 2022
Origin : March 2022
Aliases :
Trojan.Win32.Generic
Program: Win32/Wacapew.C!m!
LNK: Agent- BD[Trj]
Win64/Kryptik.CZJ
Gen: Variant.Lazy.164691
Targeted Sectors : Government, Non-Government and Intergovernmental organizations, Corporate Businesses
Targeted Regions : Ukraine, China, USA, HongKong, The Netherlands,
Motive : Data Theft
Infection Vectors : Phishing Email, Spear-phishing, Social Engineering, Software Cracks
BumbleBee malware is a relatively new malware loader that has quickly become a key component in the execution of a wide range of cyberattacks. It was first seen in phishing campaigns in March 2022 and is the most recent development of the Conti syndicate. The threat actors distributing the BumbleBee malware downloader can infiltrate systems and sell data access against a good ransomware amount.
The malware’s rise comes with a drop in usage of Bazarloader earlier this year, which began after Conti assumed TrickBot’s operations. In fact, researchers have observed code overlaps between BumbleBee and TrickBot and other ransomware threats.
However, the malware’s emergence is no accident, and the transition seems to have been meticulously planned. Cybercriminals are likely to use BumbleBee to inject information stealers, cryptocurrency miners, and others.
BumbleBee is distributed via spear-phishing email campaigns. Malicious links are concealed in emails that appear critical, urgent, or official from reputed businesses or organizations.
The loader’s compact nature makes it the preferred multifunctional tool for cybercriminals and threat actors. Built using the C++ programming language, BumbleBee works as a downloader to run malicious codes and deliver ransomware payloads like Meterpreter, Shell-code injection, DLL injection, and Cobalt Strike, in compromised systems.
BumbleBee supports multiple commands like “Ins” for bot persistence, “Dij” for DLL injection, and “Dex” for downloading executables.
The infection starts through spam emails and BumbleBee is delivered via malicious files that contain malicious DLL and shortcut files containing the malware.
It gains a foothold on infected endpoints by creating local Windows Management Instrumentation (WMI) calls which trigger two processes:
a) wabmig.exe (Microsoft contacts import tool) with injected Meterpreter agent code
b) wab.exe (Microsoft address book application) with an injected Cobalt Strike beacon.
It deploys post-exploitation tools with elevated privileges on infected machines via a User Account Control (UAC) bypass technique (fodhelper.exe).
The loader group uses a Cobalt Strike agent for lateral movement and persists on the organization network via AnyDesk, the remote management software. Moreover, the malware operators can compromise Active Directory and exploit confidential data, such as users’ logins and passwords, for lateral movement.
BumbleBee can detect virtualization environment processes to avoid running on virtual machines. After doing anti-virtualization checks, it retrieves and executes next-stage payloads in the form of Cobalt Strike, Sliver, Meterpreter, and shellcode.
BumbleBee loader pilfers user credentials using two methods. The first method involves the extraction of local usernames and passwords that are stored in the memory space of the Local Security Authority Subsystem Service (LSASS) process. The second method involves the usage of the registry hive extraction using reg.exe -
(a) HKLM Security Account Manager (SAM): where Windows stores information about user accounts.
(b) HKLM Security: stores user logins and their Local Security Authority (LSA) secrets.
(c) HKLM System: contains keys that could be used to decrypt/encrypt the LSA secret and SAM database.
BumbleBee conducts intensive reconnaissance activities with the intent of stealing system-wide information and redirecting the output to files for exfiltration. It scans for domain names, users, hosts, and domain controllers through a broad range of tools, such as nltest, ping, tasklist, netview, and Adfind.
BumbleBee’s links to several high-profile ransomware operations. Researchers at Symantec laid down findings for the malware loader and how it was used across multiple campaigns to deploy other loaders.
In one of the instances, BumbleBee operators used the AdFind tool to deploy the Quantum ransomware payload. The tool was also used in conjunction with Cobalt Strike to deliver the Avaddon ransomware payload. A new version of AdFind was also detected in mid-May 2022 that has been used in various ransomware operations for a year. These tools were also used by Conti and Mountlocker ransomware gangs in their campaigns.
With the rate at which the BumbleBee malware is growing and spreading, it is strongly advised to take the right measures. Since spear-phishing appears to be the most common method of infecting systems, users must avoid opening attachments from unreliable sources or containing suspicious emails or messages. Implement strong user access control, excellent endpoint security, and log files for devices, systems, and applications.
Furthermore, security teams are advised to use real-time threat intelligence to keep up with changing TTPs of BumbleBee. Along with a comprehensive threat response platform, organizations can mitigate the impact of cyberattacks from threats like BumbleBee and proactively undertake actions to remove any scope for a future attack.
BumbleBee's links to several high-profile ransomware operations suggest that it has evolved into a center point of cybercrime activity with cybercriminals looking to steal and exploit data. Enterprises should take precautions against this malware and educate their employees on the most recent malware threats. Any organization that discovers a BumbleBee infection on its network should treat it as a top priority because it can lead to the spread of other dangerous ransomware threats.
SHA-1
4acc9ddf7f23109216ca22801ac75c8fabb97019
MD5
4449aa50d002c4ecd94303e15dd5de9a
94084c2db0fcf6cd8b06f82d02ade330
08846c3ea6374e4597021de039266701
6ac453e0fa39f237d51cb176f10304d2
b53403084f6fa120a3043d754ada0f37
4449aa50d002c4ecd94303e15dd5de9a
File Names
documents-0405-13.iso
Takzil.dll
Documents.lnk
setting.dll
StolenImages_Evidence.iso
SHA256
6804cff68d9824efeb087e1d6ff3f98ed947f002626f04cf8ae7ef26b51e394b
daf055e5c7f843a3dbe34c3c7b848e5bbe9c53b65df2556b4b450390154af3bb
7259b7a91df7c9bc78b0830808fe58c6ff66aa79bb856cf1bf50a107875b3651
ac20f3f9ed0c1e6b2160976a1dc4167e53fbb8c71b4824a640131acf24c71bfd
71f91acc6a9162b600ff5191cc22f84a2b726050a5f6d9de292a4deeea0d9803
F06566e1e309123e03a6a65cdfa06ce5a95fdd276fb7fcbcb33f5560c0a3cd8c
2e349b3224cc0d958e6945623098c2d28cc8977e0d45480c0188febbf7b8aa78
302a25e21eea9ab5bc12d1c5f9e5c119619e617677b307fe0e3044c19581faea
65e205b500160cbec44911080621d25f02ad7fcfcf2c3e75ce33f6f821a808b8
905e87d8433fa58f3006ee685bb347024b46550a3ceda0777016f39e88519142
6727d493d4ecc8cca83ed8bf7af63941175decff7218e599355065ae6c9563c4
c8db63bfab805179a1297f8b70a90a043581c9260e8c97725f4920ab93c03344
261b06e30a4a9960e0b0ae173486a4e456c9bd7d188d0f1c9c109bb9e2281b59
24bf01c1a39c6fcab26173e285d226e0c2dcd8ebf86f820f2ba5339ac29086e5
86d7f7b265aae9eedb36bc6a8a3f0e8ec5fa08071e2e0d21774a9a8e3d4ed9e7
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15
B1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
9d0fa4b88e5b36b8801b55508ab7bc7cda9909d639d70436e972cb3761d34eda
1e7737a57552b0b32356f5e54dd84a9ae85bb3acff05ef5d52aabaa996282dfb
5a1b3f9589b468a06e9427eae6b0a855d1df6cb35ab71ddbfa05279579e9cda3
ee5fbc193f875a2b8859229508ca79a2ffe19d8a120ae8c5ca77b1d17233d268
5ad4fa74e71fb4ce0a885b1efb912a00c2ce3c7b4ad251ae67e6c3a8676ede02
02ea7b9948dfc54980fd86dc40b38575c1f401a5a466e5f9fbf9ded33eb1f6a7
B722655b93bcb804802f6a20d17492f9c0f08b197b09e8cd57cf3b087ca5a347
A60136d7377bc1ba8c161021459e9fe9f49c692bf7b397fea676211a2da4444d
86c564e9fb7e45a7b0e03dd5a6e1c72b7d7a4eb42ebe6aa2e8f8a7894bed4cb5
1825e14e1ea19756b55b5ccec5afbb9c2dba0591403c553a83c842bb0dd14432
3dea930cfb0ea48c2ce9f7a8bd98ee37e2feca5fb4da8844890fa2d4f62dd105
52f145a4ccc0f540a130bedbf04370a842daff1ee8d8361c75a8e0d21a88cf5a
3b7512cfa21bd65bd5beecc8cb859ab4f7f5538f3caaf0703a68ec14389b357a
4c6a865771fdb400456b1e8bc9198134ac9d2f66f1654af42b4b8fc67ae018f2
fef7d54d6c09a317d95300d10ffcc6c366dbb8f5ebf563dec13b509fff361dc1
165b491e5b9e273a61c16de0f592e5047740658c7a2e3047f6bf518a17e59eca
a8faf08997e11a53f9d38797d997c51c1a3fcf89412c3da8dcca6631c6f314a8
01e22210e07708c0b9a0061d0f912041808e48bb8d59f960b545d0b9e11d42d2
f5218aaa046776a12b3683c8da4945a0c4c0934e54802640a15152d9dae15d43
bc41569c4c9b61f526c78f55993203806d09bb8c3b09dbbeaded61cd1dc2fcc2
29767c912919cb38903f12c7f41cdd1c5f39fccb9641302c97b981e4b5e31ee5
911c152d4e37f55bd1544794cc324364b6f03aff118cdf328127355ccc25282a
f5cd44f1d72ef8fc734c76ca62879e1f1cb4c0603cfdc0b85b5ad6ad8326f503
0650722822e984da41d77b90fbd445f28e96a90af87043581896465c06ed1e44
f01a3f2186e77251acfac9d53122a1579182bde65e694487b292a8e09cf8d465
290b698d41525c4c74836ca934c0169a989a5eafde7208d90300a17a3f5bd408
3d41a002c09448d74070a7eb7c44d49da68b2790b17337686d6dd018012db89d
a3e023f9666dfacbbc028212682390de436a78e4291c512b0b9f022a05b138f8
9dfb32ed9b5756151623a8049eaa7785bf761601eb6c7165beff489cce31bb08
131f7e18bc3ea50cdcf74b618c24f5ae1b38594f8649d80538566b1cceeec683
IP
51[.]68.146.200
154.56.0[.]221
3.85.198[.]66
3.144.143[.]242
52.53.233[.]237
45.153.243[.]93
185.62.56[.]129
192.236.198[.]63
23.108.57[.]23
URLs
hxxp://127.0.0[.]1:[high-ephemeral-port]/
hxxps://ec2-3-144-143-242.us-east-2.compute.amazonaws[.]com
hxxps://ec2-3-85-198-66[.]compute-1.amazonaws[.]com
hxxps://ec2-3-144-143-242.us-east-2.compute.amazonaws[.]com
hxxps://ec2-3-85-198-66[.]compute-1.amazonaws[.]com
hxxp://adaptivenet[.]hostedrmm[.]com/LabTech/Updates/LabtechUpdate_220.124.zip
hxxp://adaptivenet[.]hostedrmm[.]com/LabTech/Updates/LabtechUpdate_220.77.zip
hxxp://adaptivenet[.]hostedrmm[.]com/LabTech/transfer/tools/caexec.exe
hxxp://adaptivenet[.]hostedrmm[.]com/LabTech/Deployment.aspx?
Domains
Adaptivenet[.]hostedrmm[.]com
cuhitiro[.]com