Origin: March 2022
LNK: Agent- BD[Trj]
Targeted Sectors: Government, Non-Government and Intergovernmental organizations, Corporate Businesses
Targeted Regions: Ukraine, China, USA, HongKong, The Netherlands,
Motive: Data Theft
Infection Vectors: Phishing Email, Spear-phishing, Social Engineering, Software Cracks
BumbleBee malware is a relatively new malware loader that has quickly become a key component in the execution of a wide range of cyberattacks.
It was first seen
in phishing campaigns in March 2022 and is the most recent development of the Conti syndicate. The threat actors distributing the
BumbleBee malware downloader can infiltrate systems and sell data access against a good ransomware amount.
The malware’s rise comes with a drop in usage of Bazarloader earlier this year, which began after
Conti assumed TrickBot’s operations. In fact, researchers have observed code overlaps between BumbleBee and TrickBot and other ransomware threats.
However, the malware’s emergence is no accident, and the transition seems to have been meticulously planned. Cybercriminals are likely to use BumbleBee to inject information stealers, cryptocurrency miners, and others.
Tactics, Techniques, and Procedures (TTPs)
BumbleBee is distributed via spear-phishing email campaigns. Malicious links are concealed in emails that appear critical, urgent, or official from reputed businesses or organizations.
The loader’s compact nature makes it the preferred multifunctional tool for cybercriminals and threat actors. Built using the C++ programming language, BumbleBee works as a downloader to run malicious codes and deliver ransomware payloads like Meterpreter, Shell-code injection, DLL injection, and Cobalt Strike, in compromised systems.
BumbleBee supports multiple commands like “Ins” for bot persistence, “Dij” for DLL injection, and “Dex” for downloading executables.
Initial Infection and Privilege Escalation
The infection starts through spam emails and
BumbleBee is delivered via malicious files that contain malicious DLL and shortcut files containing the malware.
It gains a foothold on infected endpoints by creating local Windows Management Instrumentation (WMI) calls which trigger two processes:
a) wabmig.exe (Microsoft contacts import tool) with injected Meterpreter agent code
b) wab.exe (Microsoft address book application) with an injected Cobalt Strike beacon.
It deploys post-exploitation tools with elevated privileges on infected machines via a User Account Control (UAC) bypass technique (fodhelper.exe).
The loader group uses a Cobalt Strike agent for lateral movement and persists on the organization network via AnyDesk, the remote management software. Moreover, the malware operators can compromise Active Directory and exploit confidential data, such as users’ logins and passwords, for lateral movement.
BumbleBee can detect virtualization environment processes to avoid running on virtual machines. After doing anti-virtualization checks, it retrieves and executes next-stage payloads in the form of Cobalt Strike, Sliver, Meterpreter, and shellcode.
BumbleBee loader pilfers user credentials using two methods. The first method involves the extraction of local usernames and passwords that are stored in the memory space of the Local Security Authority Subsystem Service (LSASS) process. The second method involves the usage of the registry hive extraction using reg.exe -
(a) HKLM Security Account Manager (SAM): where Windows stores information about user accounts.
(b) HKLM Security: stores user logins and their Local Security Authority (LSA) secrets.
(c) HKLM System: contains keys that could be used to decrypt/encrypt the LSA secret and SAM database.
BumbleBee conducts intensive reconnaissance activities with the intent of stealing system-wide information and redirecting the output to files for exfiltration. It scans for domain names, users, hosts, and domain controllers through a broad range of tools, such as nltest, ping, tasklist, netview, and Adfind.
BumbleBee Delivering Ransomware
BumbleBee’s links to several high-profile ransomware operations. Researchers at Symantec laid down findings for the malware loader and how it was used across multiple campaigns to deploy other loaders.
In one of the instances, BumbleBee operators used the AdFind tool to deploy the Quantum ransomware payload. The tool was also used in conjunction with Cobalt Strike to deliver the Avaddon ransomware payload. A new version of AdFind was also detected in mid-May 2022 that has been used in various ransomware operations for a year. These tools were also used by Conti and Mountlocker ransomware gangs in their campaigns.
Prevention and Mitigation
With the rate at which the BumbleBee malware is growing and spreading, it is strongly advised to take the right measures. Since spear-phishing appears to be the most common method of infecting systems, users must avoid opening attachments from unreliable sources or containing suspicious emails or messages. Implement strong user access control, excellent endpoint security, and log files for devices, systems, and applications.
Furthermore, security teams are advised to use real-time threat intelligence to keep up with changing TTPs of
BumbleBee. Along with a comprehensive threat response platform, organizations can mitigate the impact of cyberattacks from threats like
BumbleBee and proactively undertake actions to remove any scope for a future attack.
BumbleBee's links to several high-profile ransomware operations suggest that it has evolved into a center point of cybercrime activity with cybercriminals looking to steal and exploit data. Enterprises should take precautions against this malware and educate their employees on the most recent malware threats. Any organization that discovers a BumbleBee infection on its network should treat it as a top priority because it can lead to the spread of other dangerous ransomware threats.
Indicators of Compromise (IOCs)