Threat Synopsis – Bumblebee Loader
The Bumblebee loader malware was first identified by the Google Threat Analysis Group in March of 2022 and has been discovered to be linked to a number of ransomware groups during their attacks – examples from the Symantec Threat Hunter team links it to Conti, Quantum and Mountlocker (and potentially as a replacement for Trickbot or BazarLoader). The loader has been seen utilized by a handful of threat groups (such as TA578, TA579) , but Exotic Lily is directly named in the DFIR report detailing the malware – who have ties to the cybercrime group FIN12 (or Wizard Spider/DEV-0193). Due to the utilization of the Bumblebee loader with various threat actors in order to replace older loader variants, intent and targeting can/will vary depending on the threat actor.
As mentioned previously, Bumblebee loader, whose goals are to download and launch additional payloads without being detected on the victim’s machine. In particular, this variant reaches out to a C2 server after a malicious .dll is launched, where it has been observed to drop and execute a Cobalt Strike payload. Other actions observed include dropping of the ADFind tool for domain enumeration, injection of Metasploit, and even dropping of ransomware such as Quantum. The loader is quickly becoming prominent amongst established threat actors and ransomware operations (replacing older loader tools), and the potentiality of it evolving is expected since it is in active development. Thus, it is important to assess, understand and prepare for this malware loader as it evolves and continues to spread.
Threat Details – Bumblebee Loader
In March 2022, the Bumblebee loader malware was discovered by the Google Threat Analysis Group – recognized by this moniker due to the variant’s use of a user-agent named “Bumblebee Loader”. The loader has been observed replacing older loader tools such as BazaLoader, IcedID, and Trickbot and becoming more commonly utilized by initial access brokers since the beginning months of 2022. The variant has been observed downloading malicious payloads, such as Cobalt Strike via .DLL execution conducted by .ISO and .LNK files. Additionally, the loader contains anti-virtualization checks and several advanced evasion techniques despite its relative “newness”
At the outset, an .ISO image (contained in a ZIP archive) is delivered to the victim’s machine via malicious link or attachment from a spear-phishing email. This ISO image contains a .LNK file (Windows Shortcut) and a .DLL file (which has been observed to be hidden). When the .LNK file is executed, it runs the .DLL file (utilizing rundll32.exe) contained within the directory – which is the Bumblebee malware loader itself. After the loader is executed, communication to the Bumblebee command & control center begins and subsequently drops a Cobalt Strike beacon onto the host machine. The loader has been observed to use specific commands such as “Ins” for bot persistence, “Dij” for injection of DLLs and “Dex” for the downloading aspect – examples of their usage would be “Ins” being utilized to create a scheduled task for persistence or the “Dex” command to drop and execute Cobalt Strike.
After initial access, the DFIR report mentions that the Cobalt Strike beacon has been observed to inject into other processes on the host such as explorer.exe and rundll32.exe to abuse for discovery. The report also mentions the host machine being accessed via RDP and used for lateral movement to escalate privileges, and the dropping of the “VulnRecon” tool to locate escalation paths. Other techniques observed included the usage of the Procdump tool, “Seatbelt” red team tool, dropping of the AdFind tool for domain enumeration, injection of Metasploit, and eventually new Cobalt Strike PowerShell beacons to further its reach/grasp of the victim’s environment (reaching the Domain Controller).
Further detail and IOCs associated can be found in Symantec’s Enterprise Blog post on Bumblebee, found here: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime. As well as the aforementioned DFIR report found here: https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin