Multiple waves of attacks are underway that feature a sophisticated new malware loader dubbed Bumblebee, stealthier by nature that fetches shellcode and second-stage tools, such as Cobalt Strike, Sliver, and Meterpreter possibly in a run-up to ransomware attacks.
Bumblebee is in active development and wields elaborate evasion techniques to include complex anti-virtualization. Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2).
It appears to be that bumblebee is a replacement for the Bazar loader that connects with Diavol and Conti ransomware. BazaLoader was into the limelight like its initial-access peers, like Emotet, Trickbot, and IcedID.
Initial-access brokers infiltrate targets and sell specialized access to backdoored corporate networks on the Dark Web, and they often partner with ransomware operators. They excel at finding unpatched machines, password-cracking and brute-forcing, social engineering and phishing, and other common avenues for infection.
Proofpoint observed Bumblebee campaigns distributed via email campaigns by at least three tracked threat actors. It was observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week
In one case, a DocuSign-branded email campaign was designed to trick targets into downloading a malicious, zipped ISO file purporting to be an unpaid invoice, hosted on OneDrive. The emails contained either a hyperlink asking recipients to “REVIEW THE DOCUMENT” in the body of the message, or they used HTML attachments.
The embedded URL in the HTML attachment used a redirect service which refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim. The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive. The ISO file contained a shortcut file named “ATTACHME.LNK,” which, when clicked, executed “Attachments.dat” with the correct parameters to run the Bumblebee downloader.
The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and the behaviors described can be considered a notable shift in the cybercriminal threat landscape.
Bumblebee is new and under active development, To protect, organizations should shore up basic security hygiene, such as timely patching and strong password/multifactor authentication use, and work with employees to instill awareness of email-borne threats and common social-engineering trickery.
Once installed, the loader gathers system information and generates a “client ID.” It then hooks up with the C2 (the address(es) are stored in plaintext) and checks in at randomized intervals of seconds to retrieve commands.
Bumblebee supports the following commands:
- Shi: shellcode injection
- Dij: DLL injection
- Dex: Download executable
- Sdl: uninstall loader
- Ins: enable persistence on the bot
Notably, it contains powerful anti-analysis and evasion tactics, including sandbox and virtual-machine awareness, the addition of an encryption layer to the network communications, and a check on current running processes against a hardcoded list of common tools used by malware analysts.
Indicators of Compromise