Insights, news, education and announcements from PolySwarm

Bumblebee Loader

Written by PolySwarm Tech Team | Aug 25, 2022 5:48:41 PM

Related Families: BazarLoader, BazaLoader, Conti, BazarBackdoor, Trickbot, Diavol, Sliver, Bokbot, Meterpreter, Cobalt Strike

Verticals Targeted: Multiple

Executive Summary

Earlier this month, Palo Alto’s Unit 42 reported on recent activity leveraging Bumblebee. Unit 42 observed activity by multiple threat actors, including Projector Libra.

Key Takeaways

  • Bumblebee emerged in early 2022 as a replacement for BazarLoader and is used by multiple threat actors.
  • Recently observed infection vectors for Bumblebee use ISO images.
  • Bumblebee includes mechanisms for anti-analysis checks and maintaining persistence.
  • Bumblebee is used to drop multiple follow-up payloads, including ransomware and Cobalt Strike.
What is Bumblebee?

Earlier this month, Palo Alto’s Unit 42 reported on recent activity leveraging Bumblebee, a replacement for BazarLoader that targets Windows machines. Unit 42 observed multiple threat actors leveraging Bumblebee, including the financially motivated initial access broker Projector Libra, also known as Exotic Lily.

BazarLoader Replacement

Bumblebee’s predecessor BazarLoader was observed in the wild as early as April 2020. BazarLoader was used by multiple threat actors, including  TA551, TA578, and the threat actors responsible for the BazarCall campaign. Around February or March 2022, Bumblebee emerged as a replacement for BazarLoader. Bumblebee’s name was derived from its use of “bumblebee” in the user-agent string generated during post-infection HTTPS traffic.

Infection Vector

In the incident Unit 42 investigated, Projector Libra threat actors sent an email to a potential victim. If the victim responded, the threat actors sent a follow-up email telling the victim to expect an email from a file sharing service with a file relevant to the email discussion. One of the legitimate file-sharing services leveraged by the threat actors is TransferXL. The file-sharing email, of course, contains a link to malware masquerading as the file of interest.

Most of the files are ISO images containing a Windows shortcut and the Bumblebee loader. The threat actors used multiple methods to hide the loader. In some cases, the ISO image leverages a .LNK file that runs a hidden DLL. In other cases, the ISO image uses a password-protected .7Z archive file containing the Bumblebee DLL, and the LNK file runs a hidden copy of 7-Zip to extract Bumblebee. According to malware researcher Eli Salem, Bumblebee uses a unique unpacking mechanism.

C2 Communication

NCC Group reported on Bumblebee earlier this year. NCC Group analyzed samples from as early as September 2021. They noted Bumblebee’s backend is written in Golang. The Bumblebee samples analyzed by NCC Group used an export function with the name ‘SetPath.’ Bumblebee performs a series of anti-analysis checks, leveraging the open-source Al-Khasar project. Bumblebee then initiates communication to the C2.

According to NCC Group, Bumblebee receives commands from the C2 and executes one of the following tasks:
  • shi - injects a task’s data into a new process, where the process images paths are embedded in the binary and randomly selected
  • dij - injects a task’s data into a new process, where the process images paths are embedded in the binary and randomly selected, and the injection method differs from the method used in task dij
  • dex - writes a task’s data to a file named wab.exe in the Windows App Data folder
  • sdl - deletes the loader’s binary from the disk
  • ins - creates persistence on the victim machine
Persistence

To maintain persistence, Bumblebee creates a new directory in the Windows AppData folder with a name generated based on the client_id MD5 value. It then copies itself to a new directory and creates a VBS file with the following content:

Set objShell = CreateObject(“Wscript.Shell”)

objShell.Run “rundll32.exe my_application_path, IternalJob”

Bumblebee then creates a scheduled task with the path %WINDIR%\\System32\\wscript.exe VBS_Filepath.

Payloads

In an Active Directory environment, Bumblebee loads Cobalt Strike, which threat actors can use to map the target’s environment. Bumblebee is also used to drop, Sliver, shellcode, or Meterpreter.

If the threat actors deem the target to be high value, they may follow up by dropping ransomware. Ransomware families dropped have included Conti and Diavol.

IOCs

PolySwarm has multiple samples of Bumblebee. Below is a selection of hashes from our most recent Bumblebee samples.

First Seen

c2e8377cc13f78ca5eb0d923adfcdf00159c235906eb72ef486d0a9b9c8f93cb

793fd1b968818806aace2681a6d79fe9ba2935e75c76c71d353e243732ef8dbd

6195f27a544415369b26df60ca75e6f7cf84c1f0350e4724c81ed51233f685c3

550f0c6f48d7bd761bd5b728c6cc7452c3a220ecc4e07598522534abc85c764e

7c942cdd40a2b5b784496e4f422df61f5d7ff49486054d841dd47d65af664025

f1f7b1c5225480bf6c40e595ac00b2196a1fb8e5b246c05224022e6867702116

86cbd601461bd40e0918e5a571e59d6911eea5111a41f828ba3e780d54551876

8711308e9a44a293023edf1421d0687d18f734575961869c8490389307ef4283

024d048f8ce81e8784215dc6cf0e170b02307d9e8624083efdfccaf3e269a0f2

Other Hashes

96ec0ab0b7962fc07fcb2ac10a6993865b86391cddf6f82876bae558185b8ae9

636a5cc92d1014e0784cc22200024c1047dbf35af33d7dffda0947806413713a

3a57c15797d2f7a85b51544365129629ef468af2b33d74755faad6caed5a5ecc

fe7a64dad14fe240aa026e57615fc3a22a753f5ba1dd55d675b1d2072f6262a1

5eb41baadae307a7839685fd6f883e123408183fdc88a0da8e0e6aa8521b6812

bc7d1ff5594f8cc82553c070b5b23b375ee70ad8400fcf5b11a4ef250f957510

b0d28720c4f96b3dc22872b366ff19a5f48e92ae5f538afe0350adf8e608ed57

aacfabf91cee9bc469671f35911a49c81f662fbfb8c941968ca62473bf0fd754

e6c6ad0411501c2d81863c0ecaf80ace8a5e9b6ce8329c5700890eb36991f6fb

f0fdc0b64b747f348a87a382ff5dfe016107f95ab5953318cc8d9548a983efd1

3932c3fd347bd0d4afb906d10cfecc03114963d8ac9b25c9b6f91ab0ca5ee8db

10e628c35c0f19aa4a8b00bafd9d15862fe6eda354a70c8e7911a7ccf4f50027

dcf367f4014c302e9f1ef3b3337a31eca7d289d5f3abadef604aacce811f9b50

d15ba765332f3bde378797ce7c1b2eda17eda51f1488b675ab96161165c936ba

6771f6782cc7730936e0e1682bddb5a003b01c6b399e113cdaa7555fa94a5d11

c1b266b068dd577706f7db9a8b3a4f269e7f56b541fffb34f7297234e803c2c6

We currently have over 700 Bumblebee samples in our portal.


You can use the following CLI command to search for all Bumblebee samples in our portal:

$ polyswarm link list -f BumbleBee

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
View full post