Initial Access Broker Using Bumblebee Malware
Industry: N/A | Level: Tactical | Source: Palo Alto Unit42
Palo Alto Unit42 tracking of initial access broker, Exotic Lily (tracked by Unit42 as Projector Libra) is the latest threat group discovered to leverage the popular Bumblebee malware loader. Since its appearance in February 2022, Bumblebee has swiftly risen in popularity due to its adoption by ransomware groups Conti and Quantum. Bumblebee appears to have replaced Bazarloader, as no new samples of have been seen since February 2022. Additionally, Bumblebee has been deployed in campaigns formally used to distribute Bazarloader. Tactics used by Exotic Lily have commonly involved initiating a delivery through spear phishing containing a link to a file sharing service to download containerize file be it a ZIP archive and/or ISO file containing a malicious shortcut/LNK file. As observed from most Bumblebee deployments, the goal of the threat actors is to deploy a cobalt strike beacon on the infected host.
- LNK File Leads to Cobalt Strike
Anvilogic Use Cases:
- Compressed File Execution
- Suspicious Executable by CMD.exe
- Symbolic OR Hard File Link Created