Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Bumblebee can use WMI to gather system information and to spawn processes for code injection.[1][2][4] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.[4] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.[5] |
| Enterprise | T1129 | 共享模块 |
Bumblebee can use |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.[2][5] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| .005 | 命令与脚本解释器: Visual Basic |
Bumblebee can create a Visual Basic script to enable persistence.[2][3] |
||
| Enterprise | T1008 | 回退信道 |
Bumblebee can use backup C2 servers if the primary server fails.[2] |
|
| Enterprise | T1560 | 归档收集数据 |
Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.[4] |
|
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Bumblebee has the ability to base64 encode C2 server responses.[2] |
| Enterprise | T1106 | 本机API | ||
| Enterprise | T1012 | 查询注册表 | ||
| Enterprise | T1027 | 混淆文件或信息 |
Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.[2][4][5] |
|
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.[4] |
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.[2][4] |
| .002 | 用户执行: Malicious File |
Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.[2][3][4][5] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Bumblebee can uninstall its loader through the use of a |
| Enterprise | T1218 | .008 | 系统二进制代理执行: Odbcconf |
Bumblebee can use |
| .011 | 系统二进制代理执行: Rundll32 |
Bumblebee has used |
||
| Enterprise | T1082 | 系统信息发现 |
Bumblebee can enumerate the OS version and domain on a targeted system.[1][2][3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1102 | 网络服务 |
Bumblebee has been downloaded to victim's machines from OneDrive.[2] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Bumblebee has the ability to perform anti-virtualization checks.[2] |
|
| .001 | System Checks |
Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.[5] |
||
| .003 | Time Based Evasion |
Bumblebee has the ability to set a hardcoded and randomized sleep interval.[2] |
||
| Enterprise | T1622 | 调试器规避 | ||
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Bumblebee can identify specific analytical tools based on running processes.[2][3][5] |
| Enterprise | T1105 | 输入工具传输 |
Bumblebee can download and execute additional payloads including through the use of a |
|
| Enterprise | T1057 | 进程发现 |
Bumblebee can identify processes associated with analytical tools.[2][3][5] |
|
| Enterprise | T1055 | 进程注入 |
Bumblebee can inject code into multiple processes on infected endpoints.[4] |
|
| .001 | Dynamic-link Library Injection |
The Bumblebee loader can support the |
||
| .004 | Asynchronous Procedure Call |
Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.[2] |
||
| Enterprise | T1559 | .001 | 进程间通信: Component Object Model |
Bumblebee can use a COM object to execute queries to gather system information.[2] |
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Bumblebee has gained execution through luring users into opening malicious attachments.[2][3][4][5] |
| .002 | 钓鱼: Spearphishing Link |
Bumblebee has been spread through e-mail campaigns with malicious links.[2][4] |
||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.[2][3] |
Groups That Use This Software
References
- Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
- Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.