Friday, June 21, 2024

New JavaScript-based Dropper Delivers Bumblebee and IcedID Malware

The latest research unveiled the JavaScript-based droppers, which deliver Bumblebee and IcedID malware instead of PowerShell-based droppers.

These two malware types are significantly related to ransomware attacks. 

Bumblebee is a modular loader, distributed primarily through phishing, used to deliver payloads commonly associated with ransomware deployments. 

IcedID is a modular banking trojan that targets user financial information and can act as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. 

The significant change in Bumblebee and IcedId from a PowerShell-based loader to a javascript-based loader and from a banking trojan to a malware loader shows how the threat actors establish their TTPs to evade detection. 

PindOS JavaScript Technical Analysis

According to Deep Instinct’s Threat Research Lab report, the dropper contains comments in Russian. It employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.  

The dropper consists of a single function, “exec,” which gets four parameters. 

  • “UserAgent”: The user-agent string to be used when downloading Bumblebee’s.DLL 
  • “URL1”: First address to download from 
  • “URL2”: Second address to download from 
  • “RunDLL”: Payload DLL-exported function to call 

When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe.  

If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe. 

The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat  

When comparing the old Bumblebee DLL with the new variant, both have the same main function, “set path”.  

Additionally, it includes “legitimate-looking” strings taken from the FFmpeg open-source project’s “error.c” file and a few other files from the same project for distraction purposes.  

The new variant has four main export functions, unlike the older variant, which had two. 

The retrieved payloads are generated pseudo-randomly “on demand,” which results in a new sample hash each time a payload is fetched to reduce the risk of detection. 

As Bumblebee and IcedID are known to deliver ransomware, we recommend that security teams take note of these IOCs—updated IOCs from Deep Instinct’s GitHub page.


  • Bumblebee.JS dropper SHA256 
  • Bumblebee DLL payload: SHA256 
  • IcedID.JS dropper SHA256 
  • IcedID DLL payload: SHA256 

Manage and Secure Your Endpoints Efficiently – Free Download


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles