Bumblebee is a malware loader associated with the Conti ransomware group discovered in March 2022 and acts as a primary vector for multiple types of other malware, including ransomware. IcedID is modular banking malware designed to steal financial information that has been around since 2017.
With its deployment through PindOS, IcedID has deviated from its primary function as banking malware, potentially following in the steps of Emotet.
To avoid detection, the payloads generated by PindOS are “pseudo-randomly” created, a common evasion technique. But the evolving IOCs constantly updated to detect their action.
The researchers conclude by noting that although it’s uncertain whether the PindOS dropper will be permanently adopted by the groups behind Bumblebee and IcedID, if successful the method will become a more permanent tool in their arsenal and potentially gain popularity among other threat actors.
This research was documented by researchers from Deep Instinct
Indicators of Compromise
Bumblebee infection URLs
Bumblebee .JS dropper SHA256
Bumblebee DLL payload SHA256
IcedID infection URLs
IcedID .JS dropper SHA256
IcedID DLL payload SHA256