June 7, 2023

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now seen deploying the loader known as Bumblebee to breach networks and conduct post exploitation activities.

The majority of the Bumblebee infections spotted reportedly started by end-users executing LNK files which use a system binary to load the malware.

After infiltrating a system, Bumblebee operators then reportedly conducted intensive reconnaissance activities and redirected the output of executed commands to files for exfiltration.

Advertisements

The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement.The time it took between initial access and Active Directory compromise was less than two days.

The Bumblebee malware loader was first discovered by Google TAG in March 2022. It owes the name to its user agent, dubbed ‘Bumblebee,’ which is used as part of the communication with the C2.

The research comes from the Cybereason Global Security Operations Center team.

Indicators of Compromise

  • 4acc9ddf7f23109216ca22801ac75c8fabb97019
  • 185.62.56[.]129
Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: