Bumblebee malware is a relatively new type of malware downloader that has been linked to several cybercriminal groups. Previous waves of Bumblebee were delivered through ISO files that contain a malicious DLL and shortcut files (ISO, DLL and LNK files containing Bumblebee loader malware). Now they have moved to the Excel XLSM document to spread their malicious payload files.
Target Platform: Windows
Bumblebee infects its victims by initial infection vectors such as phishing and spam emails. These kind of emails contains Microsoft Office documents (Excel) or sometimes arrive in the form of password-protected archives.
Phishing attacks have become the de-facto delivery method of choice for threat actors lately. The idea is straightforward: an attacker creates a dropper and attaches it to an email with a compelling message designed to trick the target into opening the file. Security awareness training on “how to detect and avoid” these attacks is encouraging threat actors to use more sophisticated methods to launch spear phishing attacks in the last 18 months. (Example: sending a document disguised as an invoice or a shipping attachment).
The initial attack vector may vary depending on the targets and we all know that savvy threat actors perform basic reconnaissance methodologies to decide their infection vector. Bumblebee loads from system memory and never touches the hard disk drive with the “fileless loading” flow, reducing the chances of being detected and stopped by traditional antivirus-like controls. Bumblebee has become a more potent initial access threat as its stealth quotient increases, as do its chances of enticing ransomware and malware operators looking for new ways to deploy their payloads.
Distributed via XLSM Spreadsheet
An .xlsm file is a macro-enabled spreadsheet, which is a widely used spreadsheet program that comes with every edition of the Microsoft Office suite. It contains worksheets of cells arranged by rows and columns as well as embedded macros programmed in the Visual Basic for Applications (VBA) language.
Technical Analysis of Bumblebee XLSM Campaign
Snap 1: Bumblebee Template
Once the user receives an email from any unknown or known person, the content in the email body tempts the unsuspecting user to open it. Once a user opens the attachment, then the malware starts execution in-order to perform malicious actions. Also, if a connected network is present, it will use a list of common passwords, guessing its way onto other connected systems via brute-force attack.
Snap 2: Auto_Close Document
Snap 3: Runtime Error
Snap 4: VBA Macro Content
Snap 5: Using API Calls to execute the DLL in the Special folder
Get-Special folder specifications
|WindowsFolder||0||The Windows folder contains files installed by the Windows operating system.|
|SystemFolder||1||The System folder contains libraries, fonts, and device drivers.|
|TemporaryFolder||2||The Temp folder is used to store temporary files. The path is found in TMP environment variable.|
Snap 6: Dropped PE File
Snap 7: DLL file properties
Snap 8: Initial – Indicator of Compromise
Let’s not forget our art of war lessons in the context of cyber security,
“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
-Sun Tzu, The Art of War
DisCONTInued, or Continued?
A lot of the bumblebee activity, seemed eerily similar to Conti’s activity… Consider how Exotic LILY (threat actor) was linked to the Conti ransomware group.
If you thought, Conti’s group disintegrated and ceased to exist past May 2022… Think again!
To clarify what we are stating and “CONTInue” malware infections, hear us out,
First things first, Conti is implementing a new organizational structure with a network that is more horizontal and decentralised than the previous rigid Conti hierarchy.
Secondly, this structure will be made up of several equal subdivisions, some of which will be independent and some of which will be part of another ransomware collective.
Last but not the least; internal loyalty to each other within the network and the Conti leadership, particularly “reshaev,” will bind them all together as observed by the LMNTRIX CDC.
Conti’s new network possibly includes the following groups:
TYPE I Threat Actors: Complete autonomy: There is no locker involved, just pure data theft such as Karakurt, BlackBasta, BlackByte malware.
TYPE II Threat Actors: Semi-autonomous: Acting as Conti-loyal collective affiliates within other collectives to use their locker such as AlphV/BlackCat, HIVE, HelloKitty/FiveHands, and AvosLocker infections.
Indicators of Compromise for BumbleBee
container.vhd (SHA256) 91d29cfe549d8c7ade35f681ea60ce73a48e00c2f6d55a608f86b6f17f494d0d
Quote.lnk (SHA256) 940182dd2eaf42327457d249f781274b07e7978b62dca0ae4077b438a8e13937
quotefile.ps1 (SHA256) d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20
stage2.ps1 (SHA256) 5d000af554dcd96efa066301b234265892b8bf37bf134f21184096bdc3d7230b
payload.dll (SHA256) 0b0a5f3592df7b538b8d8db4ba621b03896f27c9f112b88d56761972b03e6e58
Bumblebee ISO samples
Bumblebee Samples Analyzed
Here are some common C2 Server IP addresses we have been tracking,
104[.]168[.]201[.]219 142[.]11[.]234[.]230 145[.]239[.]30[.]26
145[.]239[.]135[.]155 145[.]239[.]28[.]110 146[.]19[.]173[.]202
146[.]70[.]125[.]122 152[.]89[.]247[.]79 185[.]17[.]40[.]189
185[.]62[.]58[.]175 205[.]185[.]122[.]143 205[.]185[.]123[.]137
209[.]141[.]46[.]50 209[.]141[.]58[.]141 51[.]210[.]158[.]156
51[.]68[.]144[.]94 51[.]68[.]145[.]54 51[.]68[.]146[.]186
51[.]68[.]147[.]233 51[.]75[.]62[.]99 51[.]83[.]250[.]240
51[.]83[.]251[.]245 51[.]83[.]253[.]131 51[.]83[.]253[.]244
54[.]37[.]130[.]166 54[.]37[.]131[.]14 54[.]38[.]136[.]111
54[.]38[.]136[.]187 54[.]38[.]138[.]94 54[.]38[.]139[.]20
Note: The number of BumbleBee C2 servers in the wild, continue to increase by the day.
MITRE ATT&CK Tactics & Techniques for Bumblebee XLSM variant
|TA0001||Initial Access||Spear phishing Attachment|
Spear phishing Link
|TA0002||Execution||Obfuscated Files or Information|
Visual Basic / Malicious File
Registry Run Keys / Startup Folder
|TA0004||Privilege Escalation||Sets debug register (to hijack the execution of another thread). Creates a process in suspended mode (likely to inject code). Spawn’s processes.|
|TA0005||Defense Evasion||May sleep (evasive loops) hinder dynamic analysis. Checks if the current process is being debugged.|
|TA0006||Credential Access||OS Credential Dumping.|
Credentials from Web Browsers.
|TA0007||Discovery||Reads the host’s file. System Information Discovery. Reads software policies. Queries the volume information (name, serial number etc) of a device. Virtualization/Sandbox Evasion.|
|TA0011||C&C Server||Application Layer Protocol – Uses HTTPS. Non-Standard Port – Detected TCP or UDP traffic on non-standard ports. Encrypted Channel – Uses HTTPS for network communication, use the SSL MITM Proxy cookbook for further analysis.|