Bumblebee Loader Pairs with Quantum Ransomware

Industry: N/A | Level: Tactical | Source: Kroll

Kroll's Cyber Risk tracking of Bumblebee loader has identified the malware used in Quantum Locker's ransomware campaigns. Bumblebee loader had been used as the initial infection to download Cobalt Strike. The attackers were able to compromise the victim's environment and launch the ransomware within 22 hours. The campaigns launched have involved phishing emails or web contact forms, delivering the Bumblebee payload within an ISO file containing a shortcut (LNK) and DLL file. The execution of the DLL file triggers the DLL file, to download Bumblebee with persistence created through a scheduled task. Bumblebee is developed with many features that include the use of Windows Management Instrumentation (WMI) to initiate reconnaissance, run commands with PowerShell and/or Wscript, inject itself into a process, and communicate with the attacker's command and control server.

Anvilogic Scenario:

• Bumblebee Loader - Initial Infection

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Create/Modify Schtasks
• Rundll32 Command Line
• Rare Remote Thread
• WinRM Tools
• Suspicious Executable by Powershell