Cyble-Bumblebee-Malware-Delivers-Payload-Using-Post-Exploitation Framework

Bumblebee Returns with New Infection Technique

Delivers Payload Using Post Exploitation Framework

During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.

Bumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads other types of malware such as ransomware, trojans, etc.

Technical Details

The initial infection starts with a spam email that has a password-protected attachment that contains a .VHD (Virtual Hard Disk) extension file.

The VHD file contains two files. The first is named “Quote.lnk” and the second is a hidden file “imagedata.ps1”. The LNK shortcut file has the parameters to execute the file “imagedata.ps1”, which further loads the Bumblebee payload in the memory of the PowerShell. Figure 1 shows the VHD file and its contents, along with LNK file properties.

Figure 1 – Content of VHD and the properties of LNK file

The following target command line is used by the LNK for executing the PowerShell Script “imagedata.ps1”

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file imagedata.ps1

First Stage PowerShell Loader

Upon execution of the “imagedata.ps1” file, it hides the PowerShell window and runs the PowerShell code stealthily in the background. By default, the malware uses the –windowstyle hidden PowerShell command for hiding the PowerShell window. However, in this case, the malware uses an alternate command, ShowWindow, to evade detection by Anti-virus scanners. The figure below shows the code snippet used for hiding the PowerShell window.

Figure 2 – Code snippet to hide the PowerShell window

The PowerShell script contains strings that are split into multiple lines and concatenated later for execution. This is one of the techniques used by the malware to evade detection by Anti-virus products. The figure below shows the obfuscated Base64 encoded streams that are normalized using the “insert” and “remove” keywords and stored in a list, as shown below.

Figure 3 – Obfuscated Base64 encoded streams

Next, the malware iterates through the list of normalized Base64 elements, concatenates, decodes them using [System.Convert]::FromBase64String method, and finally performs the gzip decompression operation using the [System.IO.Compression.CompressionMode]::Decompress method. The gzip decompressed data contains the second stage of the PowerShell script, which is further executed by the “Invoke-Expression”, as shown below.

Figure 4 – Decompressing and invoking Second stage PowerShell script

Second Stage PowerShell Loader

This PowerShell script contains a large code block that loads the embedded DLL payload into the memory of “powershell.exe”. The second stage PowerShell code also employs the same obfuscation technique used in the first stage, as shown below.

Figure 5 – Obfuscated Second stage PowerShell script

The malware utilizes the PowerSploit module for its execution. The PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This methodvalidates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system.

The image below shows the code similarities between the second stage PowerShell script present in the memory of “PowerShell.exe” and the Invoke-ReflectivePEInjection code from GitHub.

Figure 6 – Code similarities

The second stage PowerShell script contains a byte array in which the first byte is replaced with 0x4d to get the actual PE DLL file, as shown below. This DLL file is the final Bumblebee payload that performs other malicious activities.

Figure 7 – Embedded payload

The image below showcases the DLL payload (LdrAddx64.dll) injected into the memory of Powershell process by using the Invoke-ReflectivePEInjection function. The DLL is reflectively loaded and avoids detection by tools used to identify the DLLs of the active/running processes.

Figure 8 – Presence of injected DLL in PowerShell memory

Bumblebee payload

Figure 9 shows the file information of the final Bumblebee malware payload. Based on our static analysis, we found that the payload is a 64-bit, DLL binary compiled with a Microsoft Visual C/C++ compiler.

Figure 9 – Payload file details

In June 2022, we published a technical blog on the Bumblebee loader. Our research indicates that the payload behaviour of the current variant under our analysis is similar to the one we analyzed earlier.


Bumblebee, a recently developed malware loader, has quickly become a key component in a wide range of cyberattacks, besides replacing the existing BazarLoader. In an attempt to stay a step ahead of cybersecurity entities, Threat Actors (TAs) are constantly adapting new techniques and continuously monitoring to stay updated on the defense mechanisms employed by enterprises. Similarly, TAs behind the sophisticated Bumblebee loader keep updating its capabilities in order to strengthen its evasive maneuvers and anti-analysis tricks.

CRIL has been closely monitoring the Bumblebee malware group and other similar TA groups for a better understanding of their motivations and keeping our readers well-informed on the latest cybercrime news and cybersecurity challenges.

Our Recommendations

  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Avoid downloading files from unknown websites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Block URLs that could spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
User Execution
Privilege EscalationT1574
DLL Side-Loading
Process Injection
Defence EvasionT1027
Obfuscated Files or Information
Virtualization/Sandbox Evasion
DLL Side-Loading
Query Registry
System Information Discovery
Security Software Discovery

Indicators Of Compromise (IoC)

VHD file
LNK file
PS1 file – Stage 1
PS1 file – Stage 2
c0f43d1d3e87b0e8b86b4b9e91cb55b4a1893b48 9bd9da44cc2d259b8c383993e2e05bbe1bcdac917db563b94e824b4b1628e87c
Bumblebee  DLL
Scroll to Top