Tuesday, October 8, 2024
HomeCyber Security NewsNew JavaScript-based Dropper Delivers Bumblebee and IcedID Malware

New JavaScript-based Dropper Delivers Bumblebee and IcedID Malware

Published on

The latest research unveiled the JavaScript-based droppers, which deliver Bumblebee and IcedID malware instead of PowerShell-based droppers.

These two malware types are significantly related to ransomware attacks. 

Bumblebee is a modular loader, distributed primarily through phishing, used to deliver payloads commonly associated with ransomware deployments. 

- Advertisement - EHA

IcedID is a modular banking trojan that targets user financial information and can act as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. 

The significant change in Bumblebee and IcedId from a PowerShell-based loader to a javascript-based loader and from a banking trojan to a malware loader shows how the threat actors establish their TTPs to evade detection. 

PindOS JavaScript Technical Analysis

According to Deep Instinct’s Threat Research Lab report, the dropper contains comments in Russian. It employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.  

The dropper consists of a single function, “exec,” which gets four parameters. 

  • “UserAgent”: The user-agent string to be used when downloading Bumblebee’s.DLL 
  • “URL1”: First address to download from 
  • “URL2”: Second address to download from 
  • “RunDLL”: Payload DLL-exported function to call 

When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe.  

If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe. 

The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat  

When comparing the old Bumblebee DLL with the new variant, both have the same main function, “set path”.  

Additionally, it includes “legitimate-looking” strings taken from the FFmpeg open-source project’s “error.c” file and a few other files from the same project for distraction purposes.  

The new variant has four main export functions, unlike the older variant, which had two. 

The retrieved payloads are generated pseudo-randomly “on demand,” which results in a new sample hash each time a payload is fetched to reduce the risk of detection. 

As Bumblebee and IcedID are known to deliver ransomware, we recommend that security teams take note of these IOCs—updated IOCs from Deep Instinct’s GitHub page.

IOCs  

  • Bumblebee.JS dropper SHA256 
    bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91  
    07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1  
    00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0  
    15da5b0a65dd8135273124da0c6e52e017e3b54642f87571e82d2314aae97eec  
    180a935383b39501c7bdf2745b3a334841f01a7df9d063fecca587b5cc3f5e7a  
  • Bumblebee DLL payload: SHA256 
    24dd5c33b8a5136bdf29d0c07cf56ef0e33a285bb12696a8ff65e4065cb18359  
    76c9780256e195901e1c09cb8a37fb5967f9f5b36564e380e7cf2558652f875b  
    28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523  
    ac261ac26221505798c65c61a207f3951cc7dce2e1014409d8a765d85bfd91d4  
  • IcedID.JS dropper SHA256 
    92506fe773db7472e7782dbb5403548323e65a9eb2e4c15f9ac65ee6c4bd908b  
    c84c84387f0b9e7bc575a008f36919448b4e6645e1f5d054e20b59be726ee814  
    7355656f894ae26215f979b953c8fa237dc39af857a6b27754a93adb1823f3b6  
    8f40ff286419eb4b0c4d15710dc552afb2c2a227a180f4b4f520d09b05724151  
  • IcedID DLL payload: SHA256 
    9101975f7aca998da796fc15a63b36ab8aa0fe0aed0b186aaed06a3383d5f226  
    4f0c9c6fc1287ef16f4683db90dd677054a1f834594494d61d765fa3f2e1352c  
    cb307d7fa6eaac6a975ad64ff966ff6b0b0fdd59109246c2f6f5e8d50a33e93c  
    361b0157ef63d362fdd4399288f5f6a0e1536633dfb49c808a3590718c4d8f10  
    e71c9ac9ddd55b485e636840da150db5cd2791d0681123457bd40623acd8311c  
    8ae3be9f09f5fc64ec898a4d6467b2f6e50eaaa26fc460a4f1a9b9566e97a9a7

Manage and Secure Your Endpoints Efficiently â€“ Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...