Related Families: BazarLoader, BazaLoader, Conti, BazarBackdoor, Trickbot, Diavol, Sliver, Bokbot, Meterpreter, Cobalt Strike
Verticals Targeted: Multiple
Earlier this month, Palo Alto’s Unit 42 reported on recent activity leveraging Bumblebee. Unit 42 observed activity by multiple threat actors, including Projector Libra.
- Bumblebee emerged in early 2022 as a replacement for BazarLoader and is used by multiple threat actors.
- Recently observed infection vectors for Bumblebee use ISO images.
- Bumblebee includes mechanisms for anti-analysis checks and maintaining persistence.
- Bumblebee is used to drop multiple follow-up payloads, including ransomware and Cobalt Strike.
Earlier this month, Palo Alto’s Unit 42 reported on recent activity leveraging Bumblebee, a replacement for BazarLoader that targets Windows machines. Unit 42 observed multiple threat actors leveraging Bumblebee, including the financially motivated initial access broker Projector Libra, also known as Exotic Lily.
Bumblebee’s predecessor BazarLoader was observed in the wild as early as April 2020. BazarLoader was used by multiple threat actors, including TA551, TA578, and the threat actors responsible for the BazarCall campaign. Around February or March 2022, Bumblebee emerged as a replacement for BazarLoader. Bumblebee’s name was derived from its use of “bumblebee” in the user-agent string generated during post-infection HTTPS traffic.
In the incident Unit 42 investigated, Projector Libra threat actors sent an email to a potential victim. If the victim responded, the threat actors sent a follow-up email telling the victim to expect an email from a file sharing service with a file relevant to the email discussion. One of the legitimate file-sharing services leveraged by the threat actors is TransferXL. The file-sharing email, of course, contains a link to malware masquerading as the file of interest.
Most of the files are ISO images containing a Windows shortcut and the Bumblebee loader. The threat actors used multiple methods to hide the loader. In some cases, the ISO image leverages a .LNK file that runs a hidden DLL. In other cases, the ISO image uses a password-protected .7Z archive file containing the Bumblebee DLL, and the LNK file runs a hidden copy of 7-Zip to extract Bumblebee. According to malware researcher Eli Salem, Bumblebee uses a unique unpacking mechanism.
NCC Group reported on Bumblebee earlier this year. NCC Group analyzed samples from as early as September 2021. They noted Bumblebee’s backend is written in Golang. The Bumblebee samples analyzed by NCC Group used an export function with the name ‘SetPath.’ Bumblebee performs a series of anti-analysis checks, leveraging the open-source Al-Khasar project. Bumblebee then initiates communication to the C2.
According to NCC Group, Bumblebee receives commands from the C2 and executes one of the following tasks:
- shi - injects a task’s data into a new process, where the process images paths are embedded in the binary and randomly selected
- dij - injects a task’s data into a new process, where the process images paths are embedded in the binary and randomly selected, and the injection method differs from the method used in task dij
- dex - writes a task’s data to a file named wab.exe in the Windows App Data folder
- sdl - deletes the loader’s binary from the disk
- ins - creates persistence on the victim machine
To maintain persistence, Bumblebee creates a new directory in the Windows AppData folder with a name generated based on the client_id MD5 value. It then copies itself to a new directory and creates a VBS file with the following content:
Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run “rundll32.exe my_application_path, IternalJob”
Bumblebee then creates a scheduled task with the path %WINDIR%\\System32\\wscript.exe VBS_Filepath.
In an Active Directory environment, Bumblebee loads Cobalt Strike, which threat actors can use to map the target’s environment. Bumblebee is also used to drop, Sliver, shellcode, or Meterpreter.
If the threat actors deem the target to be high value, they may follow up by dropping ransomware. Ransomware families dropped have included Conti and Diavol.
PolySwarm has multiple samples of Bumblebee. Below is a selection of hashes from our most recent Bumblebee samples.
We currently have over 700 Bumblebee samples in our portal.
You can use the following CLI command to search for all Bumblebee samples in our portal:
$ polyswarm link list -f BumbleBee
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports