2022-11-16

Avoid the Sting and Defend the Honey Tree

Content
Share:
A Guided Defense Strategy Against the Rising Bumblebee, Malware Loader

The Anvilogic Forge team spotlights the Bumblebee malware loader to figure out the buzz surrounding this active threat. The malware was named by security researchers who discovered the user-agent string used “Bumblebee” in early campaigns. Since its emergence in March 2022, it has been identified as the malware loader of choice for threat actors and recognized as the replacement for Bazarloader. No new samples of Bazarloader have been observed since February 2022 and Bumblebee malware has been tracked to be used in campaigns that are typically seen with Bazarloader. 

Operators utilizing other loaders such as IcedId and Trickbot may likely shift to Bumblebee as well. Malware loaders are commonly used by threat actors to gain initial access and to deploy more prominent tools needed for their intrusion. Threat actors observed to utilize Bumblebee malware have included initial access broker Exotic Lily/Projector Libra, Conti, and Quantum ransomware operators. Bumblebee is often delivered through phishing emails contained within archive files, typically compressed zip files, disk image (IMG) files, and/or optical disk images/iso files. Threat actors in 2022 have transitioned to container files as Microsoft has disabled macros being enabled by default to thwart this once popular exploitation channel. Shortcut/LNK files are commonly used with container files to covertly aid in the execution of commands to initiate the threat actor’s infection chain with a living-off-the-land binary (LOLBin). 

Knowing When to Buzz Off

Bumblebee will extract itself into memory, decrypt and the DLL main function will begin the execution. The malware conducts system reconnaissance to avert anti-analysis efforts by ensuring it’s being executed in a virtual environment. There it checks for files, registry keys, and processes associated with virtual machines (VM) as well as checking for process names indicative of emulation tools.

GhouLSec: [Mal Series #23] Malware Loader — Bumblebee
When the Sting Hits, Analyzing A Bumblebee Attack

A network attack we want to explore is shared by The DFIR Report, “BumbleBee: Round Two” which documents a Bumblebee intrusion spanning just over 12 hours. Our step-by-step analysis of the attack follows behaviors initiated by the operators to provide analytics during each stage of the attack. Detecting the Bumblebee malware itself is not our goal, as indicators of compromise (IOCs) hold limited strategic value. Instead, our analysis focuses on threat behaviors, as our detection strategy hones in on tasks necessary for an attacker to complete their actions on objective. This walkthrough covers typical post-exploitation tactics observed from Bumblebee involving shell execution, command and control, reconnaissance, credential access, lateral movement, persistence, and privilege escalation. 

From combining The DFIR Reports’ incredibly detailed “BumbleBee: Round Two” report and MITRE’s Center for Threat-Informed Defense (CTID) newly released attack flows project, we’ve created a flow diagram to illustrate the intrusion. The initiative launched by CTID, enables a network of security practitioners to improve their organizations defensive posture against adversaries from understanding the attacker’s attack sequence. Using their easy-to-use attack flow builder, the intrusion documented by The DFIR Report can be visualized with timestamps provided by DFIR and MITRE mappings.

Initial Execution of Bumblebee & Rundll32

The intrusion begins at 12:05 UTC as Bumblebee was delivered from an ISO file containing a shortcut and hidden DLL file. The shortcut file executes the Bumblebee payload using the rundll32, LOLBin . Various detection opportunities are available here as defenders can create analytics to detect (1) the creation of an LNK file, (2) an alert when a DLL file is written to disk, and/or (3) a suspicious execution of rundll32.

Forge Detection Insight: 12:05 UTC - Bumblebee execution
Bumblebee Initial Execution: ISO Mounted and LNK Executed

T1547.009: Persistence: Boot or Logon Autostart Execution: Shortcut Modification

With Windows Event Logs, process creation events can be identified under event code 4688 or process events. Additionally the term “mklink”, is relevant to the creation of symbolic/hard links which will be useful for the alert logic. 

Dropping the Bumblebee DLL

T1105: Command and Control: Ingress Tool Transfer

Windows event code 4656 aids in the discovery of requests made to an object handle. In our query, we’ll specify hunt for dll or vbs files that are not being referenced in delete operations. Depending on your environment and the level of noise for the analytics, a tuning recommendation would be to conduct a count for processes based on distinct file paths. 

Rundll32 executes DLL

T1218.011 Defense Evasion: System Binary Proxy Execution: Rundll32

The malicious DLL containing the Bumblebee payload is executed using rundll32. A process creation event can identify rundll32 executions within command line arguments. 

WMI Call for Process Injection

T1047 Execution: Windows Management Instrumentation

To set up process injection, WMI, and COM function calls were used in order to start a process for Bumblebee to inject itself into.

Process injection

T1055 Defense Evasion: Process Injection

Sysmon data can help to extend logging capabilities from Windows event logs, supplying high level monitoring into system events for enhanced visibility. From the new process created by WMI subscription, the process injection event can be detected using System Monitor (Sysmon) with event ID, 8 to detect “CreateRemoteThread” events. 

Forge Detection Insight at 12:19 UTC to 12:27 UTC Meterpreter Shells

T1059 - Execution: Command and Scripting Interpreter

Multiple instances of Meterpreter shells were used for command execution. Our analytic focuses on specific behaviors related to Meterpreter shells and key terms. 

  • 4625: Failed login attempt
  • 5140: Access was made to network share object
  • 5156: A connection was granted by the Windows Filtering Platform
Forge Detection Insight: 12:28 to 12:57 UTC Discovery Commands from Meterpreter Sessions

T1482 Discovery: Domain Trust Discovery & T1482 Discovery: Domain Trust Discovery & T1135 Discovery: Network Share Discovery

Despite being noisy threat identifiers, detecting the use of reconnaissance tools can be helpful for analysis. In our query, we can alert for process creation events using specific terms that are native to the system and network discovery.

Information for admin accounts are gathered from the host’s active directory. The process creation query can be tweaked to identify commands commonly associated with active directory.

An abundance of tools legitimately used by system administrators such as NetBios can be abused by threat actors for system reconnaissance. Our process creation query can be used to identify events specifying “nbtstat.”

Forge Detection Insight: 18:26 UTC - 18:27 UTC  Cobalt Strike executes and initiates reconnaissance

T1071 Command and Control: Application Layer Protocol & T1482 Discovery: Account Discovery

Cobalt Strike activity can be tricky to identify. However, the security community has recommendations from sources like Red Canary, MITRE Center for Informed Defense (CTID) and SANS Digital Forensics and Incident Response to name a few. The most common analytic suggested is to use default named-pipe configurations. The majority of attacks with Cobalt Strike use default configurations therefore we can leverage this knowledge for our analytics using those commonly used named-pipes with sysmon event id for “Pipe created” and event id 18 for “Pipe connected.”

The threat actors continue to scour the environment, querying active directory information. We can reuse our previously developed, active directory reconnaissance analytic to spot this activity.  

Forge Detection Insight: 18:31 UTC Credential dump with procdump and collection

T1003.001 Credential Access: OS Credential Dumping: LSASS Memory

Credentials were obtained by dumping the lsass process using Sysinternals ProcDump. Our detection analytic would monitor for events specifying containing procdump processes and lsass. However, to tighten our analytic, we can implement thresholds in our regular expression query.

Forge Detection Insight: 18:53 UTC Lateral Movement to Server via RDP and Anydesk install

T1021.001 Lateral Movement: Remote Services: Remote Desktop Protocol & T1219 Command and Control: Remote Access Software

After obtaining credentials in the environment, the operators proceeded to laterally move through the network using the remote desktop protocol (RDP) and remote access software, AnyDesk. The Windows event code, 5156 can pinpoint connections allowed by the  Windows Filtering Platform, thus RDP port 3389 or mentions of the term RDP can be used in our analytic to isolate RDP connections in the network. 

  • 5156: A connection was granted by the Windows Filtering Platform

Detection for AnyDesk can take several avenues, a common use case would be the software being spawned from a scripting interpreter such as cmd.exe or PowerShell. Process creation events with process names for this event can be used to identify activity in which they are initiated together.

Forge Detection Insight: 19:00 UTC User Added for Persistence on Server

T1136.002 Persistence: Create Account: Domain Account

To maintain persistence, the operators created a new account in the environment. Several helpful Windows event codes can be used in our detection analytic specific to account creation. 

  • 4688: Process created with net.exe adding a new account
  • 4720: A new user account was created
  • 4732: A new member has been added to the security-enabled local group
Forge Detection Insight: 19:09 UTC AdFind executed for system reconnaissance

T1087.002 Discovery: Account Discovery: Domain Account

For additional reconnaissance, AdFind was executed to gather Active Directory data. We have two analytic suggestions. One focuses on the execution of AdFind and the second attempts to identify common commands issued with AdFind. An added parameter in our process creation analytic is the “ingress.event.procstart" string, which will help identify the process launch. 

AdFind Execution Analytic

AdFind Commands Analytic

Forge Detection Insight: 19:13 UTC AnyDesk used to browse files

T1219 Command and Control: Remote Access Software

Many popular remote access software can be deployed by threat actors to move through the victim’s environment. AnyDesk deployed here is just one example, however, a list of well-known remote access tools are listed in our analytics below, to detect process creation events with those applications. Alerts with these applications can be particularly interesting if your organization, denylists these tools.

Forge Detection Insight: 19:17 UTC Lateral Movement to Backup Server via RDP

T1021.001 Lateral Movement: Remote Services: Remote Desktop Protocol

Windows supplies various event codes identifying the connection status to a workstation. We can leverage the session reconnect (4778) and disconnect (4779) in our analytic to identify RDP logon and RDP logoff events. 

  • 4778: Session connection has been reestablished
  • 4779: A Session connection has been disconnected
Forge Detection Insight: 00:14 UTC Batch Script executed for system reconnaissance

T1059.003 - Execution: Command and Scripting Interpreter: Windows Command Shell 

Prior to being kicked-off the environment by The DFIR Report researchers, the operators commenced the third round of enumeration. A batch script was deployed to attempt to ping all hosts in the environment. Our analytic logic would look for a process creation event with an executable spawning a script file that can be tracked using known extensions.

Following the Honey Trail

The detection analytics we stepped through cover a large array of relevant threat activity across the MITRE ATT&CK framework. The detections are valuable on their own; however, using Anvilogic‘s threat scenario builder, the attack chain can be incorporated into a single alert. The campaign we covered is certainly extensive; however the stages in the scenario can be as long or as short based on the availability of your analytics and confidence in the reported intelligence. A short two-stage scenario can pair together noisy analytics which on their own can be noisy however joining them together provides a use case worth investigating.

Anvilogic Threat Scenario: BumbleBee Malware Spawns for Meterpreter Shell

The scenario created does not have to follow a linear route, rather the scenario is flexible to accommodate different sections of the attack in groups whilst also taking into account lapses in time. This implementation allows for wider analytic coverage depending on the activity in each stage and resilience against logging limitations for absent analytics. From studying attack sequences from reported threat intelligence we can develop a full comprehensive analytic designed to track malicious behavior at a TTP level. 

Anvilogic Threat Scenario: BumbleBee Attack within 12Hrs

Threat intelligence in security is rich with well-researched reports breaking down the threats we have to defend our organizations against. The intelligence gathered should be incorporated into detection analytics to ensure detections are created or tuned to identify specific behaviors. Collaboration between threat research/intelligence and detection engineering is critical to a detection strategy keeping up-to-date with the latest tactics, techniques, and procedures observed in the threat landscape. The resulting analytics and threat scenarios provide a stable long-term detection strategy as we’re not chasing the next big threat but rather we’re relying on an armory of detections focused on core threat behaviors an attacker needs to achieve in order to complete their actions on objectives. 

About the Forge Author

Kevin Lo is a threat researcher for the Anvilogic Forge team, where he is responsible for threat research and intelligence.

Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.

Happy to connect with you on LinkedIn!

References

Chat with our team to receive a free maturity assessment

Get in Touch

Ready to learn more about Anvilogic?

Kickstart your security operations

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.