A year in the hive: BumbleBee

May 25th 2023

Bumblebee:

A year in the hive

A look back at BumbleBee’s activities in the past year

25.05.2023

Table of Contents

Introduction

BumbleBee is a fairly new malware loader that targets Windows computers. The initial discovery occurred in March 2022, marking a full year since its emergence. In this blog post, we’ll summarize BumbleBee’s activities, features, and important points based on the research published over the past year.

Getting a handle on the BumbleBee loader malware is vital in today’s ever-changing threat landscape, as it has emerged as a significant threat, playing a starring role in several high-profile attacks against diverse organizations, from financial institutions to government agencies. This loader is no slouch when it comes to deploying extra payloads and pulling off anti-analysis tricks, showcasing the growing sophistication and complexity of today’s cyber shenanigans. With malspam campaigns and spear phishing attacks as its primary modes of entry, BumbleBee poses a real threat to countless organizations.

From Humble Beginnings to High-Profile Cyber Attacks

In the beginning, BumbleBee was still being developed and improved. With ongoing work and new features, the latest version of the loader was released with the ability to download additional code and numerous evasion techniques to hinder manual and dynamic analysis techniques. Since then, some well-known threat actors have started using BumbleBee in their attacks: Google’s Threat Analysis Group (TAG) found that BumbleBee was first used by a very busy group of cybercriminals called EXOTIC LILY. This group helps other criminals get access to computer systems and is thought to be working with WIZARD SPIDER, the group behind the Conti/Trickbot/Diavol malware.

It looks like BumbleBee has taken the place of BazaLoader, another famous malware loader that criminals used to use a lot. Proofpoint reported that BazaLoader hasn’t shown up in any cyberattacks since February 2022. This supports the idea that BumbleBee has taken the reins from BazaLoader.

According to IBM X-Force researchers, BumbleBee has been found to be in cahoots with the Ramnit banking trojan, a seasoned troublemaker dating back to 2010. The two malware families are believed to be associated as there are multiple code and behavioral similarities between the two, such as near-identical target lists for code injections and how hooking and unhooking techniques are implemented.

As of February 2023, BumbleBee’s evolution persists, further enhancing its ability to protect itself from detection and resist automated malware analysis.

Crafty Attack Vectors Uncovered

According to Google TAG’s analysis, the bad actors behind BumbleBee throw in a hefty dose of human touch to up their chances of success through spear phishing emails. They’ve even started riding the wave of interest in ChatGPT to get their foot in the door. The threat actors are observed to use popular file-sharing services like OneDrive, TransferNow, and WeTransfer to deliver its payload to victims. The attackers reel in their prey by engaging in persistent chit-chat and posing as legitimate business proposals, all while skillfully weaving their web of social engineering.

Another observation is that these threat actors often send malicious ISO files as email attachments or links, duping victims into downloading their payloads. These ISO files hold Windows shortcuts (LNK files) and DLLs, which spring into action using rundll32.exe to unleash the BumbleBee loader. Of note, BumbleBee has followed in the footsteps of QBot by incorporating malicious ISO files into its delivery chain, making it one of the earliest malware families to adopt this tactic.

Flying under the radar

Once BumbleBee breaches its target, it runs anti-analysis checks to sidestep virtual environments like sandboxes. Much of the code behind these checks is ripped straight from the open-source Al-Khaser project. One ace up BumbleBee’s sleeve is a technique called “hook evasion,” which involves modifying the native system functions to dodge security software. By tweaking these functions, BumbleBee can sidestep the anti-malware tools that count on hooking to observe and intercept system calls. In this case, the loader’s endgame is to stay stealthy and fly under the radar within the target system, enabling it to safely deliver and execute its wicked payloads, without tripping security alerts. On top of hook evasion, the malware also turns to “software packing,” a method of compressing or encrypting an executable. Packing an executable alters the file signature, aiming to outsmart signature-based detection methods.

After clearing the anti-analysis hurdles, the malware is ready to roll up its sleeves and get down to business: deploying the necessary payloads. Over the last 1 year, BumbleBee has been spotted dropping payloads such as Cobalt Strike, Meterpreter, Sliver, and shellcode.

Head over to our Threat Feed to dive deep into a BumbleBee sample analysis report.

Wrapping up

We’re only a year into research on the BumbleBee loader, and while information remains scarce, there are indications that it continues to undergo significant development. To delve deeper into its evolution, we invite you to join us at the FIRST Conference this summer: https://www.first.org/conference/2023/program#pBusy-Bees-The-Transformation-of-BumbleBee

References

Ertugrul Kara
Ertugrul Kara

Ertugrul Kara is the Senior Product Marketing Manager for VMRay. With a career spanning over 10 years in cybersecurity, he has seen the advancement of security products from open source firewalls to automation-powered threat detection technologies following the evolution of threat landscape.

He is currently focused on leading the marketing efforts for VMRay’s security automation solutions while enhancing the alignment between the products with enterprise customer needs.

Previously, he has held various roles in early stage security startups, led the product launch and growth strategies, and run his own startup specialized in network security.

This blog post was written based on the research available until April 1st, 2023.

Subscribe

Stay current on the threat landscape with industry-leading insights.

VTI Operation Description

Detect using BITS to download files

VTI Category

Network Connection

MITRE ATT&CK® ID

T1197 [legacy T1197, T1105]

Why it’s important

BITS (Background Intelligent Transfer Service) jobs can be exploited by adversaries to establish persistence and carry out covert background activities on a compromised system. BITS jobs consist of a queue that contains one or more file transfer tasks, making them an attractive target for malicious actors seeking to evade detection while conducting surreptitious activities.

Detect file download attempts with finger.exe

Network Connection

T1105 [legacy: T1105]

Adversaries may abuse legitimate command-line tools like finger.exe to stealthily download and execute malicious payloads from cloud storage and file-sharing services, allowing them to bypass security controls and evade detection

Detect privilege escalation using AppInit Dlls

Detect privilege escalation using AppCert Dlls

Privilege Escalation

Privilege Escalation

T1546.010 [legacy: T1103]

T1546.009 [legacy: T1182]

Malicious actors can achieve persistence and elevate privileges by running malicious code that is triggered by these DLLs loaded into processes, thereby exploiting a Windows operating system feature to evade detection

Detect persistence using SilentProcessExit monitor

Privilege Escalation

T1546.012 [legacy: T1183]

Attackers use this technique to evade detection and remain on a compromised system for extended periods of time. The technique involves running malicious code as a process that silently exits when no longer needed, making it difficult to detect using traditional process monitoring methods. 

Detect application shimming

Privilege Escalation

T1546.011 [legacy: T1138]

Shimming involves the use of third-party software to modify application behavior, often for compatibility reasons, but attackers can abuse this technique to inject malicious code into legitimate processes to gain elevated privileges and evade detection.

See VMRay in action.
Solve your malware & phishing challenges.

Keys to the Future of SOC Automation
VMRay Webinar Featuring Forrester