/
2022-08-18 Bumblebee Loader IOCs
53 lines (37 loc) · 1.98 KB
/
2022-08-18 Bumblebee Loader IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
THREAT ATTRIBUTION: BUMBLEBEE LOADER
THREAT IDENTIFICATION: BUMBLEBEE LOADER
ANALYST NOTES
The new Bumblebee infection flow (typically) begins with an iniital contact request submitted via a web form.
After receiving a reply email (even just an out-of-office or other auto-reply), the threat actor follows up.
Brief back and forth email exchanges can occur now which is meant to gain the confidence of the recipient.
Soon, the threat actor will suggest that they set up a phone meeting (with likely no intention of attending).
Next, The threat actor suggests that the recipient might want to review details of the project prior to the phone call.
Shortly, after that, the recipient receives an email sent from one of several file sharing services.
The email has a link to download the "project details" - it's easy to guess the rest of the story from here.
However, there's yet another oddity - the file to be downloaded is named "<companyname>.vhd".
The .vhd file is typically a virtual hard disk file for (primarily) Windows Virtual PC.
It's basically just a compressed file and is used that way here.
Once the file is unzipped, it contains an .lnk file and a Powershell script (this should be familiar).
The .lnk file launches the Powershell script.
The PowerShell script is obfuscated and split into multiple big base64 blocks (the blocks also seem to be compressed).
I'm assuming that the Powershell script uses this to dump and launch the payload since I saw no network traffic.
I was unable to get beyond this point - likely due to the heavy anti-VM tactics Bumblebee uses.
SUBJECTS OBSERVED
PrD
SENDERS OBSERVED
delivery@spaces.hightailmail.com
VHD FILE HASH
<companyname>.vhd
3c8c6095d53bd4287d6398f2831befbb
LNK FILE HASH
Quote.lnk
4166dc23c9ffb1fe465288801da97ca9
LNK FILE TARGET
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file quotefile.ps1
POWERSHELL SCRIPT FILE HASH
quotefile.ps1
3e8de058c3430e7208adf50ee922d047
BUMBLEBEE PAYLOAD FILE HASH
Unknown
BUMBLEBEE C2
Unknown