Bumblebee Loader Infection Found in Phishing Emails

Industry: N/A | Level: Tactical | Source: Cybereason

The popularity of Bumblebee loader has not slowed as Cybereason's research shared in a recent campaign. Most of Bumblebee infections begin with LNK files distributed to victim hosts through phishing emails. Trends typically seen with Bumblebee operators also include extensive reconnaissance activities, data collected from discovery outputted to a file, and compromising active directory for lateral movement. Aligning with reports from Unit42, Bumblebee loader has been popular amongst threat actors replacing previous popular initial access malware including BazarLoader, Trickbot, and IcedID. Bumblebee's feature set also appears to be in active development with potential new capabilities to come. The documented Cybereason infection spanned the course of three days. Notable activity from the attack involved various reconnaissance activities, exploitation of Zerologon, credential theft from registry, procdump and from NTDS.dit, lateral movement with Cobalt Strike, and RDP. Lastly, Rclone was used for data exfiltration.

Anvilogic Scenarios:

• Bumblebee Attack: Recon, ZeroLogon, Process Inj and Cred Theft
• Bumblebee Attack: Credential Theft, Lateral Movement and Exfil

Anvilogic Use Cases:

• WinRM Tools
• ZeroLogon CVE-2020-1472
• ProcDump Credential Harvest

‍