![]() This ISO file contained a Bumblebee DLL file and an LNK file, which loaded the Bumblebee DLL file using rundll32.exe.īumblebee supports multiple commands like “Ins” for bot persistence, “Dij” for DLL injection, and “Dex” for downloading executables.īumblebee contacted a command-and-control (C&C) server (45.153.243.93) and created a copy in the %APPDATA% folder with a random name, and also created a VBS file at the same location to load the %APPDATA% DLL file.Ī scheduled task was created using the Bumblebee “Ins” command to run a VBS file every 15 minutes. ![]() The initial infection vector was a spear-phishing email with an attachment containing an ISO file. Bumblebee and Quantum: Bumblebee’s role in ransomware deliveryĪ recent attack involving the Quantum ransomware demonstrates how Bumblebee is now being leveraged by attackers to deliver ransomware. The tactics, techniques, and procedures (TTPs) used in these older attacks support the hypothesis that Bumblebee may have been introduced as a replacement loader for Trickbot and BazarLoader, since there is some overlap between recent activity involving Bumblebee and older attacks linked to these loaders. Bumblebee, a recently developed malware loader, has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced a number of older loaders, which suggests that it is the work of established actors and that the transition to Bumblebee was pre-planned.īy analysis of three other tools used in recent attacks involving Bumblebee, Symantec’s Threat Hunter team, a part of Broadcom Software, has linked this tool to a number of ransomware operations including Conti, Quantum, and Mountlocker.
0 Comments
Leave a Reply. |