Cyble-Bumblebee-Malware-Delivers-Payload-Using-Post-Exploitation Framework

Bumblebee Returns with New Infection Technique

Delivers Payload Using Post Exploitation Framework

During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.

Bumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads other types of malware such as ransomware, trojans, etc.

Technical Details

The initial infection starts with a spam email that has a password-protected attachment that contains a .VHD (Virtual Hard Disk) extension file.

The VHD file contains two files. The first is named “Quote.lnk” and the second is a hidden file “imagedata.ps1”. The LNK shortcut file has the parameters to execute the file “imagedata.ps1”, which further loads the Bumblebee payload in the memory of the PowerShell. Figure 1 shows the VHD file and its contents, along with LNK file properties.

Figure 1 – Content of VHD and the properties of LNK file

The following target command line is used by the LNK for executing the PowerShell Script “imagedata.ps1”

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file imagedata.ps1

First Stage PowerShell Loader

Upon execution of the “imagedata.ps1” file, it hides the PowerShell window and runs the PowerShell code stealthily in the background. By default, the malware uses the –windowstyle hidden PowerShell command for hiding the PowerShell window. However, in this case, the malware uses an alternate command, ShowWindow, to evade detection by Anti-virus scanners. The figure below shows the code snippet used for hiding the PowerShell window.

Figure 2 – Code snippet to hide the PowerShell window

The PowerShell script contains strings that are split into multiple lines and concatenated later for execution. This is one of the techniques used by the malware to evade detection by Anti-virus products. The figure below shows the obfuscated Base64 encoded streams that are normalized using the “insert” and “remove” keywords and stored in a list, as shown below.

Figure 3 – Obfuscated Base64 encoded streams

Next, the malware iterates through the list of normalized Base64 elements, concatenates, decodes them using [System.Convert]::FromBase64String method, and finally performs the gzip decompression operation using the [System.IO.Compression.CompressionMode]::Decompress method. The gzip decompressed data contains the second stage of the PowerShell script, which is further executed by the “Invoke-Expression”, as shown below.

Figure 4 – Decompressing and invoking Second stage PowerShell script

Second Stage PowerShell Loader

This PowerShell script contains a large code block that loads the embedded DLL payload into the memory of “powershell.exe”. The second stage PowerShell code also employs the same obfuscation technique used in the first stage, as shown below.

Figure 5 – Obfuscated Second stage PowerShell script

The malware utilizes the PowerSploit module for its execution. The PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This methodvalidates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system.

The image below shows the code similarities between the second stage PowerShell script present in the memory of “PowerShell.exe” and the Invoke-ReflectivePEInjection code from GitHub.

Figure 6 – Code similarities

The second stage PowerShell script contains a byte array in which the first byte is replaced with 0x4d to get the actual PE DLL file, as shown below. This DLL file is the final Bumblebee payload that performs other malicious activities.

Figure 7 – Embedded payload

The image below showcases the DLL payload (LdrAddx64.dll) injected into the memory of Powershell process by using the Invoke-ReflectivePEInjection function. The DLL is reflectively loaded and avoids detection by tools used to identify the DLLs of the active/running processes.

Figure 8 – Presence of injected DLL in PowerShell memory

Bumblebee payload

Figure 9 shows the file information of the final Bumblebee malware payload. Based on our static analysis, we found that the payload is a 64-bit, DLL binary compiled with a Microsoft Visual C/C++ compiler.

Figure 9 – Payload file details

In June 2022, we published a technical blog on the Bumblebee loader. Our research indicates that the payload behaviour of the current variant under our analysis is similar to the one we analyzed earlier.

Conclusion

Bumblebee, a recently developed malware loader, has quickly become a key component in a wide range of cyberattacks, besides replacing the existing BazarLoader. In an attempt to stay a step ahead of cybersecurity entities, Threat Actors (TAs) are constantly adapting new techniques and continuously monitoring to stay updated on the defense mechanisms employed by enterprises. Similarly, TAs behind the sophisticated Bumblebee loader keep updating its capabilities in order to strengthen its evasive maneuvers and anti-analysis tricks.

CRIL has been closely monitoring the Bumblebee malware group and other similar TA groups for a better understanding of their motivations and keeping our readers well-informed on the latest cybercrime news and cybersecurity challenges.

Our Recommendations

  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Avoid downloading files from unknown websites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Block URLs that could spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204
T1059
User Execution
PowerShell
Privilege EscalationT1574
T1055
DLL Side-Loading
Process Injection
Defence EvasionT1027
T1497
T1574
Obfuscated Files or Information
Virtualization/Sandbox Evasion
DLL Side-Loading
DiscoveryT1012
T1082
T1518
Query Registry
System Information Discovery
Security Software Discovery

Indicators Of Compromise (IoC)

IndicatorsIndicator
Type
Description
59fc33d849f9ad2ab4e4b7fe4b443a33
e4ed0f94e8ad9aeeb019e6d253e2eefa83b51b5a
2102214c6a288819112b69005737bcfdf256730ac859e8c53c9697e3f87839f2
MD5
SHA1
Sha256
VHD file
b3b877f927898a457e35e4c6a6710d01
8ed3dfa1ece8dbad0ccc8be8c1684f5a3de08ccb
1285f03b8dbe35c82feef0cb57b3e9b24e75efabba0589752c2256a8da00ad85
MD5
SHA1
Sha256
LNK file
254d757d0f176afa59ecea28822b3a71
3e59fff860826055423dde5bbd8830cceae17cf3
0ff8988d76fc6bd764a70a7a4f07a15b2b2c604138d9aadc784c9aeb6b77e275
MD5
SHA1
Sha256
PS1 file – Stage 1
225b9fb42b5879c143c56ef7402cbcbc
03369886e9fc4b7eacc390045aa9c4b7fffad69a
db91155087bd2051b7ac0576c0994e9fffb5225c26ea134cb2f38e819f385730
MD5
SHA1
Sha256
PS1 file – Stage 2
da6feac8dff2a44784be3d078f2d4ac3
c0f43d1d3e87b0e8b86b4b9e91cb55b4a1893b48 9bd9da44cc2d259b8c383993e2e05bbe1bcdac917db563b94e824b4b1628e87c
MD5
SHA1
Sha256
Bumblebee  DLL
payload
Scroll to Top