Threat actors associated with BazarLoader, TrickBot, and IcedID have increasingly co-opted the malware loader Bumblebee.
It has been discovered that hackers are using it to penetrate target networks for the purpose of post-exploitation activities as part of their campaigns to breach target networks.
Meroujan Antonyan and Alon Laufer, the researchers from Cybereason, explained the situation in the following manner:-
“An intensive amount of reconnaissance is conducted by the operators of Bumblebee. Moreover, even after executing a command, they redirect the output of that command to files so that it can be exfiltrated.”
Users typically launch Bumblebee infections by executing LNK files that load the malware using the system binary.
Phishing emails with malicious attachments or links to malicious archives containing Bumblebee malware are used to distribute the malware.
During the month of March 2022, Google’s TAG discovered for the first time what Bumblebee was doing on the internet. By unmasking Exotic Lily, the brokers that belong to the larger Conti collective as well as TrickBot, they were able to accomplish this feat.
An embedded command is present in this LNK file that runs Bumblebee DLL using the following files:-
While the reference to the Bumblebee DLL can be found in the .rsp file.
According to the report, As a general rule, spear-phishing campaigns are used to obtain initial access for delivering the attack. A modification to the method was made in the course of the year by avoiding macro-enhanced documents in favor of ISO and LNK files, which are more reliable.
A command to launch the Bumblebee loader is contained in the LNK file. The resultant conduit is then used to carry out the following actions at the next stage:
The Cobalt Strike adversary simulation framework was also employed to simulate the adversary’s behaviors upon gaining elevated privileges on the infected endpoint during the attack.
This provides the threat actor with the ability to move laterally across the network. AnyDesk remote desktop software can be deployed on an infected system in order to achieve persistence.
A highly privileged user’s credentials were stolen in this incident, and the details were subsequently misused to make it possible for the attacker to take control of the Active Directory server.
Following are the recommendations made by the Cybereason GSOC:-
Secure Azure AD Conditional Access – Download Free White Paper
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…