September 30, 2023

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now seen deploying the loader known as Bumblebee to breach networks and conduct post exploitation activities.

The majority of the Bumblebee infections spotted reportedly started by end-users executing LNK files which use a system binary to load the malware.

After infiltrating a system, Bumblebee operators then reportedly conducted intensive reconnaissance activities and redirected the output of executed commands to files for exfiltration.

Advertisements

The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement.The time it took between initial access and Active Directory compromise was less than two days.

The Bumblebee malware loader was first discovered by Google TAG in March 2022. It owes the name to its user agent, dubbed ‘Bumblebee,’ which is used as part of the communication with the C2.

The research comes from the Cybereason Global Security Operations Center team.

Indicators of Compromise

  • 4acc9ddf7f23109216ca22801ac75c8fabb97019
  • 185.62.56[.]129
Tags:

Leave a Reply

You may have missed

Johnson Controls Ransomware Attack

September 30, 2023

Progress issues Patches for Critical WS_FTP Flaws

September 29, 2023

NIST Releases SP 800-82r3 guide for OT

September 29, 2023

Cisco Semi-annual Security Advisory Summary

September 29, 2023

BlackTech Havoc’s Organizations with Cisco Router Bug

September 29, 2023

Google fixes fifth Zeroday bug in Chrome

September 28, 2023
%d bloggers like this: