September 29, 2023

Researchers have provided details of a new strain of JavaScript-based dropper that delivers two forms of malware onto victims’ systems. Dubbed as PindOS after a user-agent string of the same name in the code, the dropper contains comments in Russian and delivers Bumblebee and IcedID malware.

Bumblebee is a malware loader associated with the Conti ransomware group discovered in March 2022 and acts as a primary vector for multiple types of other malware, including ransomware. IcedID is modular banking malware designed to steal financial information that has been around since 2017.

Researchers discovered the sophistication of the threat actor. The PindOS dropper exhibits a change in how Bumblebee is used, shifting from using PowerShell to JavaScript. The change indicates an attempt by the threat actors to adapt and refine their attack methods to maximize efficiency and evade detection.


With its deployment through PindOS, IcedID has deviated from its primary function as banking malware, potentially following in the steps of Emotet.

The PindOS JavaScript coding uses a simplistic structure that downloads and executes a payload .DLL from a specified URL. If the first attempt fails, PindOS tries again with a second URL. The researchers note that the dropper’s design and features make it a resilient and efficient tool for infiltrating systems and delivering its payload.

To avoid detection, the payloads generated by PindOS are “pseudo-randomly” created, a common evasion technique. But the evolving IOCs constantly updated to detect their action.

The researchers conclude by noting that although it’s uncertain whether the PindOS dropper will be permanently adopted by the groups behind Bumblebee and IcedID, if successful the method will become a more permanent tool in their arsenal and potentially gain popularity among other threat actors.

This research was documented by researchers from Deep Instinct


Indicators of Compromise

Bumblebee infection URLs

  • hxxps://[.]php
  • hxxp://[.]php
  • hxxp://[.]php
  • hxxps://[.]php

Bumblebee .JS dropper SHA256

  • bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91
  • 07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1
  • 00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0
  • 15da5b0a65dd8135273124da0c6e52e017e3b54642f87571e82d2314aae97eec
  • 180a935383b39501c7bdf2745b3a334841f01a7df9d063fecca587b5cc3f5e7a

Bumblebee DLL payload SHA256

  • 24dd5c33b8a5136bdf29d0c07cf56ef0e33a285bb12696a8ff65e4065cb18359
  • 76c9780256e195901e1c09cb8a37fb5967f9f5b36564e380e7cf2558652f875b
  • 28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523
  • ac261ac26221505798c65c61a207f3951cc7dce2e1014409d8a765d85bfd91d4

IcedID infection URLs

  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://[.]php
  • hxxps://[.]php

IcedID .JS dropper SHA256

  • 92506fe773db7472e7782dbb5403548323e65a9eb2e4c15f9ac65ee6c4bd908b
  • c84c84387f0b9e7bc575a008f36919448b4e6645e1f5d054e20b59be726ee814
  • 7355656f894ae26215f979b953c8fa237dc39af857a6b27754a93adb1823f3b6
  • 8f40ff286419eb4b0c4d15710dc552afb2c2a227a180f4b4f520d09b05724151

IcedID DLL payload SHA256

  • 9101975f7aca998da796fc15a63b36ab8aa0fe0aed0b186aaed06a3383d5f226
  • 4f0c9c6fc1287ef16f4683db90dd677054a1f834594494d61d765fa3f2e1352c
  • cb307d7fa6eaac6a975ad64ff966ff6b0b0fdd59109246c2f6f5e8d50a33e93c
  • 361b0157ef63d362fdd4399288f5f6a0e1536633dfb49c808a3590718c4d8f10
  • e71c9ac9ddd55b485e636840da150db5cd2791d0681123457bd40623acd8311c
  • 8ae3be9f09f5fc64ec898a4d6467b2f6e50eaaa26fc460a4f1a9b9566e97a9a7

Leave a Reply

%d bloggers like this: