BumbleBee Malware Continues to Grow

Industry: N/A | Level: Tactical | Source: Cyble

Researchers from Cyble Research & Intelligence Labs (CRIL) have discovered another infection chain associated with Bumblebee Loader malware. Delivered through a spam campaign, this iteration utilizes a Virtual Hard Disk (VHD) as a container for two malicious files, an LNK shortcut file, and a PowerShell script (PS1) that's initially hidden. The LNK file contains the command to execute the PS1 script, which has been coded to run in the background and to evade detection from anti-virus scanners. "The PowerShell script contains strings that are split into multiple lines and concatenated later for execution. This is one of the techniques used by the malware to evade detection by Anti-virus products." The malware incorporates PowerSploit module Invoke-ReflectivePEInjection, to load a DLL into the PowerShell process. Bumblebee loader has become a popular tool for threat actors replacing BazarLoader. Bumblebee provides a downloader for many offensive tools such as Cobalt Strike, Meterpreter, Silver, as well as any other malware needed by the attacker.

Anvilogic Scenario:

• LNK & LOLBin

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• Executable Create Script Process
• Powershell DLL/EXE Injection

‍