[MART] - Daily Diary #592 - Bumblebee Loader Using VHD Files

Mon Sep 12 20:18:48 UTC 2022

Hello,
I hope everyone is doing well!

Below is the entry for today.

09/12/2022 - Diary entry #592:

Covered in our Daily Diaries #499 and #541, "Bumblebee" is a malware loader with advanced anti-analysis and anti-detection features. Bumblebee has been used along with well-known attack frameworks and open-source tools like Cobalt Strike and Meterpreter. It can also be used to download and execute other types of malware, including ransomware. Recent campaigns reveal Bumblebee being used with a new infection technique.

Previously, Bumblebee was involved in phishing campaigns believed to be orchestrated by the same actors behind BazarLoader and TrickBot, the "Conti Syndicate" (Covered in many of our Daily Diaries). It reached victims via emails containing password-protected compressed ISO files containing an LNK with a malicious command line to execute a DLL in the same ISO.

Now, Bumblebee seems to have replaced the ISO with a VHD (virtual hard disk) file. Similarly, the VHD is also mounted by the operating system and contains an LNK shortcut file, but instead of executing a DLL the LNK runs a PowerShell command, using reflexive injection to execute PowerSploit in memory. PowerSploit is an open-source Post-Exploitation Framework, that has been used in the past by many threat actors since it’s easy to deploy and allows the attacker to execute arbitrary commands in machines with Powershell (native) installed - in a technique that we call Living-of-the-Land. By executing in memory using a Windows trusted binary, the malware minimizes the chances of being detected by AVs and other security solutions.

This incident shows how creative attackers can be when choosing new types of files to deliver malware. By using different file types, those campaigns avoid being detected by anti-spam filters, since those often rely on pattern-matching and may not have the capability to process unexpected file types. Users and network administrators must always be careful with e-mail attachments, deleting/blocking suspicious files - especially from unknown senders.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

MART

Malware Analysis and Research Team

Appgate

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220912/c85058d4/attachment.htm>