Post thumbnail

By: Max Malyutin – Orion Threat Research Team Leader 

Orion, Cynet’s Threat Research and Intelligence team, spotted a new malware campaign in the wild: BumbleBee.

Wondering what’s going on? Let us fill you in.

We noticed a new trend in Initial Access Brokers’ (IAB) tactics to gain access to their victims’ machines. Initial Access Brokers refers to a cybercrime group that specializes in gaining initial access to organizations for the sole purpose of offering it to other threat actor groups. The trend started earlier this year and our team recently spotted their new BumbleBee campaign.

Usually, we observe malicious spam (MalSpam) campaigns that deliver malicious documents (MalDoc) to lure the victims to interact with the MalDoc and execute the malicious macro code by clicking “Enable Content.” That in turn downloads and executes the malicious payload, for example, the notorious Emotet campaigns.

We expected these groups to change the initial access methods. We believe there is a direct relation to the changes Microsoft applied recently to the default policy in their Office products: “Macros from the internet will be blocked by default in Office” and “Excel 4.0 (XLM) macros are disabled by default.” These changes impact IABs because they have been abusing Office documents with malicious macros for years.

It appears that they’ve come up with a plan B.

In this post, we will cover what this campaign is, and how the IAB distributes the BumbleBee malware and its TTPs. We will also explain each TTP according to the MITRE ATT&CK model, and its purpose.

A new campaign in the wild: BumbleBee

From our initial analysis, BumbleBee is a custom new loader that is used by different IAB groups. This malware was observed injecting Cobalt Strike shellcodes in memory and using several tactics, techniques, and procedures (TTPs) in order to compromise the victim’s environment.

As part of the campaign, the threat actors abuse spoofed companies’ identities (like fake employee email addresses, fake websites, etc.) and use legitimate public storage services to deliver the malicious ISO image file. The ISO image file is responsible for luring the victim to execute the BumbleBee malware.

We’ve seen Living Off the Land Binaries (LOLBins) execution with rundll32, which allows threat actors to avoid defenses. BumbleBee also creates a scheduled task on the compromised host for persistence and executes a Visual Basic script via the scheduled task. The IAB relies on the user (victim) execution to execute the BumbleBee payload by luring the victim to mount an ISO image file and click on a Windows shortcut (LNK) file.

The malware name, BumbleBee, was chosen because of its unique user agent, “bumblebee,” that was used as part of the communication with the command and control server (C2).

Threat Analysis Group (TAG) shared observations on the financially motivated threat actor, EXOTIC LILY, that use the BumbleBee malware. In addition, TAG mentioned an interesting point of collaboration between EXOTIC LILY and the WIZARD SPIDER threat group.

Orion’s observations

This type of attack is new, and the cybersecurity community is still gathering data to glean more insights on the nature of this attack and its targets.

Orion found a high number of targeted companies based in the US with the following distribution method that delivers the BumbleBee malware: Spear phishing email > URL Link (TransferXL, TransferNow, WeTransfer) > Zipped ISO > ISO (contains the LNK file and the BumbleBee payload).

You can see the execution flow in the image below.

Diagram Description automatically generated

The infection flow

We’ve handled several incident response (IR) cases where threat actors distributed BumbleBee malware. After the initial infection, the threat actors inject Cobalt Strike shellcode in memory and execute discovery commands to collect info about the victim’s network. We believe that threat actors performed this data collection in order to execute the next stage of the infection.

The next stage is probably related to ransomware operations. We’re still investigating IR cases in order to find conclusive evidence that the next stage delivers ransomware.

On April 12, 2022, the BumbleBee IAB group was spotted using IMG file format in addition to ISO file format.

You can see an example in the image below.

Graphical user interface, application Description automatically generated

The IMG file, which contains LNK and DLL

Orion’s technical analysis

Initial Access

The BumbleBee payload was delivered via a spear phishing email that was sent from a spoofed email address. The email contains a URL link to the legitimate public storage service, TransferXL.

Graphical user interface, application Description automatically generatedSpear phishing email with a link to TransferXL

Below you’ll see the legitimate public storage site, which leads the victim to the link to the malicious file.

A picture containing text Description automatically generated

TransferXL legitimate public storage services

Once they click download, the victim receives a ZIP folder that contains the malicious ISO image files.

Diagram, application Description automatically generated

Spoofed company email address

Execution

Below is an example of what the ZIP file from the TransferXL link looks like.

Graphical user interface, text, application Description automatically generated

ZIP file download from TransferXL

The ZIP file contains an ISO image file with the following name “documents-04-106.iso.” Note that the following ISO image file name pattern was used for all the files that we have analyzed:

  • documents-[0-9]{1,4}-[0-9]{1,4}\.iso

Graphical user interface, text, application Description automatically generated

ISO image file

From this step, threat actors rely on the victim (user) interaction with the ISO image file. The threat actors use a masquerading technique by setting the LNK file icon to be a folder icon in order to lure the victim to click on the LNK file:

Graphical user interface Description automatically generated with low confidence

ISO image file contains LNK and DLL

In addition, the DLL payload attribute is set as “Hidden” in order to hide the DLL payload from the user when interacting with the ISO image file:

Graphical user interface, text, application, email Description automatically generated

Hidden attribute for the DLL

The masqueraded LNK file properties show that the execution target is as follows:

  • C:\Windows\System32\rundll32.exe settings.dll,IternalJob

Graphical user interface, text, application, email Description automatically generated

LNK executes the DLL via rundll32 command

After the initial execution, the BumbleBee DLL is copied to the %programdata%/{RandomDir} directory. In addition to the DLL, a VBS script is also dropped to the same directory:

  • [a-z]:\\programdata\\[a-z0-9]{16}\\[a-z0-9]{16}\.[vbs|dll]

Graphical user interface, text, application Description automatically generated

TTPs indicators during the execution

We have other artifacts from different IR cases, where we have observed the following activity. The screenshot below shows an event that detected a creation of a payload in the %ProgramData%\{Random} directory the DLL payload is a copy of the initial BumbleBee loader that executed by Rundll32 from the ISO image file:

Copy of the BumbleBee DLL to %Programdata% directory

In other IR cases, we observed an execution flow that’s bit different. For example, a LNK that points to the following execution targets:

  • cmd.exe /c start rundll32 neqw.dll,IternalJob
  • rundll32.exe advpack.dll,RegisterOCX sysctl.exe

Persistence

We detected a scheduled task execution during the BumbleBee infection:

Grandparent process:

svchost.exe -k netsvcs -p -s Schedule

Parent process:

wscript.exe [a-z]:\\programdata\\[a-z0-9]{16}\\[a-z0-9]{16}\.vbs

Child process:

rundll32.exe [a-z]:\\programdata\\[a-z0-9]{16}\\[a-z0-9]{16}\.dll,{Export}

Graphical user interface, text, application Description automatically generated

Strings from the BumbleBee loader show the VBS script and the execution method

We also observed WMI execution. The VBS file that was executed via a scheduled task, was also executed through WMI:

Grandparent process:

svchost.exe -k DcomLaunch

Parent process:

wmiprvse.exe -Embedding

Child process:

wscript.exe [a-z]:\\programdata\\[a-z0-9]{16}\\[a-z0-9]{16}\.vbs

Text Description automatically generated

Strings from the Bumblebee loader show the WMI Win32_Process execution

Defense Evasion

In our labs, we observed that BumbleBee uses several anti-VM methods to avoid detection.

One of the anti-VM checks is related to the VirtualBox product:

Graphical user interface, text, application Description automatically generated

Check for lpWindowName if matches VirtualBox

Other anti-VM artifacts were found after unpacking, as can be seen in the following strings:

Table Description automatically generated

List of strings that are related to VMware and VirtualBox

BumbleBee also detects if it is running within a VM by checking for known services that are related to different VM products:

Table Description automatically generated

List of services that are related to VM products

BumbleBee checks whether certain user names reside in the victim’s machine by comparing against a hardcoded list of user names. This allows BumbleBee to detect sandboxes and labs that are used for malware analysis:

Table Description automatically generated

List of hardcoded usernames which are related to sandboxes and labs

In addition, it uses WMI queries to collect system details and information:

  • SELECT * FROM Win32_BaseBoard
  • SELECT * FROM Win32_Bus
  • SELECT * FROM Win32_ComputerSystem
  • SELECT * FROM Win32_Fan
  • SELECT * FROM Win32_NTEventlogFile
  • SELECT * FROM Win32_OperatingSystem
  • SELECT * FROM Win32_PnPDevice
  • SELECT * FROM Win32_PnPEntity

Discovery

We found that the threat actors used the AdFind tool to enumerate and map the victim’s network. The ADFind tool was found in the %ProgramData% directory.

In the instance we observed, the following commands were used:

  • adfind.exe -gcb -sc trustdmp
  • adfind.exe -f “(objectcategory=group)”
  • adfind.exe -f “(objectcategory=organizationalUnit)”
  • adfind.exe -f “objectcategory=computer”
  • adfind.exe -f “(objectcategory=person)”

Command and Control

After the initial execution, the BumbleBee process (Rundll32) communicated with the Command-and-Control server (C2). We’ve seen several C2 servers from different IR cases:

  • IP: 23.82.19[.]208:443
  • IP: 192.236.198[.]63:433
  • IP: 45.147.229[.]177:433

Calendar Description automatically generated

Example of the unique User-Agent: BumbleBee in the payload’s memory

Graphical user interface, application, website Description automatically generated

Additional reference to the BumbleBee malware name

All the collected system and network information is sent to the C2 server, which sends back a response containing the next step/command to execute based on that info.

BumbleBee binary analysis

In this section, we will cover some interesting indicators and artifacts that highlighted the BumbleBee actions and heuristics. These artifacts also help us to identify the BumbleBee malware.

We analyzed several payloads and all of them had the same artifacts.

After unpacking the BumbleBee loader and by searching in the metadata of the unpacked payload, we identified BumbleBee’s internal name, “LdrAddx64.dll,” and two export functions – “IternalJob” and “SetPath.”

Graphical user interface, text Description automatically generated

BumbleBee internal name, export functions, and TimeDateStamp

In the image below, we found the BumbleBee internal name and export function inside the process Rundll32.exe that executed the BumbleBee DLL loader:

Table, calendar Description automatically generatedBumblebee’s internal name and the export functions names in the memory

By inspecting the unpacked BumbleBee sections, we discovered that the .data section contains two executables:

Graphical user interface, application Description automatically generated

PEStudio shows the unpacked Bumblebee section and highlighted the .data section

We extracted the two hidden payloads from the .data section by using Hex-Editor tool:

A picture containing table Description automatically generated

Hex-Editor shows 3 MZ headers: the first one is the Bumblebee, and the other two are additional payloads

The first payload from the .data section is a 32-bit DLL payload:

Graphical user interface, text, application Description automatically generated

PEStudio showing the payload’s metadata

We found a few interesting functions in the payload strings indicating that this payload has process injection capabilities. For example, “CreateProcess,” “NtWriteVirtualMemory,” “CreateRemoteThread,”and “WinExec.”

Graphical user interface, application, table Description automatically generated

PEStudio showing the payload’s strings that could be related to process injection

The second payload that we extracted from the .data section is a 64-bit DLL payload:

A picture containing graphical user interface Description automatically generated

PEStudio showing the payload’s metadata

We analyzed the payload binary and noticed that this payload is responsible for communicating with BumbleBee’s C2 server:

Graphical user interface, application, table Description automatically generated

In the strings we can see the C2 server’s IP address and port

Both DLL payloads have the same internal name “RapportGP.dll.” An interesting point regarding the payloads internal name is that there is a legitimate DLL named “RapportGP.dll” that is part of a “Trusteer Ltd” product from a computer security division of IBM.

A screenshot of a computer Description automatically generated with medium confidence

Payloads internal name and TimeDateStamp

Final notes

BumbleBee threat actors are not the first to change the initial access method from malicious office documents to malicious ISO image files. The ISO image file abuse was also seen a few years ago, but in recent months, we have observed an increase in “ISO campaigns.”

Different threat actors abuse ISO image files to deliver their payloads. For example, BazarISO deploys Bazarloader, and IcedID started to use ISO image files instead of MalDocs like in the two examples below.

Graphical user interface, text, application, email Description automatically generated

Documents-17.iso (Bazarloader)

Graphical user interface, text, application Description automatically generated

Invoice_pdf_1.iso (IcedID)

In most of the cases, we’ve seen that during different IR cases, the campaigns escalated to full-blown ransomware attacks. We believe that IAB groups work and collaborate with ransomware affiliates like CONTI, LockBit, AvosLocker, and more. For example, we observed an IcedID infection that leads to CONTI ransomware attack (Shelob Moonlight)..

The Orion team is constantly monitoring BumbleBee and the IAB group’s activities closely and analyzing them to better understand their motivation. As we learn more, we will publish our findings and artifacts to share additional insights for BumbleBee infection to ransomware post-attack chain.

We’re expecting to see more malware campaigns that will use the ISO delivery method in the near future. So, stay vigilant.

As a final note, we’d like to share these indicators of compromise with you.

 

Indicators of compromise:

 

BumbleBee payload

88F5AE9691E6BCDD4065A420EAFAF3E3AA32C69605BF564A42FFD8ECD25C9920

4a49e2f06ba48d3a88fdeb83fb8021f3d165535e8ea5319b16a7ebe4da9c0751

08cd6983f183ef65eabd073c01f137a913282504e2502ac34a1be3e599ac386b

186145f84ed6a473ec6bc4afa66bff156057888938793b12afd17659041ddbba

4063fab9176db3960fa6014173b6c7ba52f19424887f5a6205ff73aa447ada61

53b3ebaa3c485772f8e6abaa0f366ef192137496a7064e015ced4e6fc204b3c8

d74a3f9b35d657516eb53d4e70582f93d22077d3e0936758cc4ef76d5171075d

8f47c3962a7c418bae71fec42bbca9524b72f8f0fd2dd81d1175138f7d20b2f7

c97b8bffcbe424cbc2a6e1135068d071c6f4e8f020fccd2db3dbee3aa80102ac

BumbleBee C2 server

IP: 23.82.19[.]208 Port 443

IP: 192.236.198[.]63 Port 433

IP: 45.147.229[.]177 Port 433

Cobalt Strike C2 server

hojimizeg[.]com - 45.147.228[.]197

notixow[.]com - 23.19.58[.]154

rewujisaf[.]com - 142.234.157[.]176

We hope this was helpful. And remember to check our blog page and follow us on social media to see when we publish updates.

Have questions? Let us know.