Bumblebee Loader Gets Incorporated into New Ransomware Operations

Industry: N/A | Level: Tactical | Source: Symantec

Symantec's Threat Hunter team has identified the incorporation of Bumblebee loader into many ransomware operations, such as Conti and Quantum. There's potential the transition to the loader was "pre-planned" as a replacement for Trickbot and BazarLoaders. The use of the Bumblebee loader with Quantum has been shared by Symantec, with the loader arriving through a phishing email containing the malicious Bumblebee DLL and LNK file in an ISO file. The LNK file executes Bumblebee DLL using rundll32.exe to contact the attacker's command and control (C2) server. The attacker established persistence on the victim host with a scheduled task to run a VBS file. A few hours later, Cobalt Strike was dropped on the host with system reconnaissance initiated by running the "systeminfo" command and using the AdFind tool. Ransomware encryption followed shortly thereafter.

Anvilogic Scenario:

• Bumblebee Loader & Quantum - Infection Activity

Anvilogic Use Cases:

• Create/Modify Schtasks
• WMI subscription execution
• Common Reconnaissance Commands
• Adfind Commands
• Adfind Execution