These two malware types are significantly related to ransomware attacks.
Bumblebee is a modular loader, distributed primarily through phishing, used to deliver payloads commonly associated with ransomware deployments.
IcedID is a modular banking trojan that targets user financial information and can act as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions.
According to Deep Instinct’s Threat Research Lab report, the dropper contains comments in Russian. It employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.
The dropper consists of a single function, “exec,” which gets four parameters.
- “UserAgent”: The user-agent string to be used when downloading Bumblebee’s.DLL
- “URL1”: First address to download from
- “URL2”: Second address to download from
- “RunDLL”: Payload DLL-exported function to call
When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe.
If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe.
The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat
When comparing the old Bumblebee DLL with the new variant, both have the same main function, “set path”.
Additionally, it includes “legitimate-looking” strings taken from the FFmpeg open-source project’s “error.c” file and a few other files from the same project for distraction purposes.
The new variant has four main export functions, unlike the older variant, which had two.
The retrieved payloads are generated pseudo-randomly “on demand,” which results in a new sample hash each time a payload is fetched to reduce the risk of detection.
- Bumblebee.JS dropper SHA256
- Bumblebee DLL payload: SHA256
- IcedID.JS dropper SHA256
- IcedID DLL payload: SHA256
Manage and Secure Your Endpoints Efficiently – Free Download