- Cyble announced that Bumblebee, a malware loader, has quickly become a key component in a wide range of cyberattacks.
- Developers of Bumblebee loader keep updating the malware’s capabilities in order to strengthen its evasive maneuvers and anti-analysis tricks.
- The initial infection starts with a spam email that has a password-protected attachment that contains a .VHD file.
Cyble Research & Intelligence Labs announced that they noticed a tweet wherein threat researcher @Max_Mal_ showed an infection chain of the Bumblebee loader malware being distributed. Bumblebee, a replacement for BazarLoader, acts as a downloader. It also delivers known attack frameworks and open-source tools. It is also capable of downloading other types of malware. Bumblebee was initially discovered in April.
#Bumblebee VHD Infection TTPs 🐝#DFIR Exec Flow:
VDH > LNK > PowerShell > csc > cvtres[+] Obfuscated PS1 script
[+] PS1 script loads 64-bit DLL inside the PowerShell memory
[+] Bumblebee Export function: dataCheck ,setPath
[+] DLL internal name: LdrAddx64.dll 🔥 pic.twitter.com/mJvbCZiwqm— Max_Malyutin (@Max_Mal_) August 30, 2022
New infection technique
The infection starts with a password-protected email attachment containing a .VHD extension file. It also contains two files, “Quote.lnk” and the second is a hidden file “imagedata.ps1”. The following target command line is used by the LNK for executing the PowerShell Script “imagedata.ps1”
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file imagedata.ps1After the execution of the file, the PowerShell window is hidden and it runs the code in the background. The Powershell command for hiding the window is “-windowstyle hidden”. However, this malware uses “ShowWindows” to stay stealthy and avoid detection by antivirus scanners. Cyble also said in the report,
« PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system. »
To minimize the chance of being detected, Bumblebee also loads the flows from memory, instead of the host’s disk. This feature increases the malware’s stealthiness, especially during the deployments of its payloads, and makes it a bigger threat for many organizations. To avoid such attacks, Cyble recommends:
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Avoid downloading files from unknown websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
Cyble also said,
« Bumblebee, a recently developed malware loader, has quickly become a key component in a wide range of cyberattacks, besides replacing the existing BazarLoader. In an attempt to stay a step ahead of cybersecurity entities, Threat Actors (TAs) are constantly adapting new techniques and continuously monitoring to stay updated on the defense mechanisms employed by enterprises. Similarly, TAs behind the sophisticated Bumblebee loader keep updating its capabilities in order to strengthen its evasive maneuvers and anti-analysis tricks. CRIL has been closely monitoring the Bumblebee malware group and other similar TA groups for a better understanding of their motivations and keeping our readers well-informed on the latest cybercrime news and cybersecurity challenges. »