A brand new evaluation of Bumblebee, a very pernicious malware loader that first surfaced this March, reveals that its payload for techniques which can be a part of an enterprise community may be very totally different from its payload for standalone techniques.
On techniques that seem like a part of a site — for instance, techniques that may share the identical Energetic Listing server — the malware is programmed to drop subtle post-exploitation instruments akin to Cobalt Strike. Alternatively, when Bumblebee determines it has landed on a machine that’s a part of a workgroup — or peer-to-peer LAN — the payload usually tends to be banking and data stealers.
Completely different Malware
“Whereas the sufferer’s geographical location did not appear to have any impact on the malware conduct, we noticed a really stark distinction between the way in which Bumblebee behaves after infecting machines,” Test Level stated in a report this week based mostly on a latest evaluation of the malware.
“If the sufferer is related to WORKGROUP, typically it receives the DEX command (Obtain and Execute), which causes it to drop and run a file from the disk,” Test Level stated. Nevertheless, if the system is related to an AD area, the malware makes use of Obtain and Inject (DIJ) or Obtain shellcode and Inject (SHI) instructions to obtain superior payloads akin to Cobalt, Strike, Meterpreter, and Silver.
Test Level’s evaluation provides to the rising quantity of analysis round Bumblebee within the six months or so since researchers first noticed the malware within the wild. The malware has garnered consideration for a number of causes. Considered one of them is its comparatively widespread use amongst a number of menace teams. In an April 2022 evaluation, researchers from Proofpoint stated that they had noticed not less than three distinct menace teams distributing Bumblebee to ship totally different second-stage payloads on contaminated techniques, together with ransomware akin to Conti and Diavol. Google’s menace evaluation group recognized one of many actors distributing Bumblebee as an preliminary entry dealer they’re monitoring as “Unique Lily.”
Proofpoint and different safety researchers have described Bumblebee as being utilized by menace actors beforehand related to BazaLoader, a prolific malware loader that amongst different issues masqueraded as a movie-streaming service, however which disappeared from the scene in February 2022.
A Subtle and Always Evolving Risk
Another excuse for the eye that Bumblebee has attracted is what safety researchers have stated is its sophistication. They’ve pointed to its anti-virtualization and anti-sandbox checks, its encrypted community communications, and its skill to test working processes for indicators of malware evaluation exercise. Not like many different malware instruments, the authors of Bumblebee have additionally used a customized packer to pack or masks the malware when distributing it, Test Level stated.
Risk actors have used totally different ways to ship Bumblebee. The most typical has been to embed the DLL-like binary inside an ISO or VHD — or disk picture — recordsdata and ship it through a phishing or spear-phishing e mail. The malware is an instance of how menace actors have began utilizing container recordsdata to ship malware now that Microsoft has disabled Workplace Macros — their earlier favourite an infection vector — from working by default on Home windows techniques.
Bumblebee’s fixed evolution has been one other level of concern. In its report this week, Test Level famous how the malware has been in “fixed evolution” over the previous a number of months. For instance, the safety vendor pointed to how its authors briefly switched from utilizing ISO recordsdata to VHD format recordsdata with a PowerShell script earlier than switching again to ISO. Equally, till early July, Bumblebee’s command and management servers solely accepted just one contaminated sufferer from that very same sufferer IP deal with. “Because of this if a number of computer systems in a corporation accessing the web with the identical public IP had been contaminated, the C2 server will solely settle for the primary one contaminated,” Test Level stated.
Nevertheless, the authors of the malware lately turned that function off, that means Bumblebee’s C2 servers can now talk with a number of contaminated techniques on the identical community. Test Level theorized the malware’s authors had been initially simply testing the malware and have now moved previous that stage.
Test Level and different distributors akin to Proofpoint have made indicators of compromise accessible for Bumblebee to assist organizations detect and block the menace of their surroundings.
