Threat Research

PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID | Deep Instinct

Securonix

A new JavaScript-based dropper named PindOS has been observed delivering Bumblebee and IcedID, with Russian-language comments and a user-agent string “PindOS.” The dropper downloads payloads from multiple URLs, executes them via rundll32 and PowerShell, and the delivered payloads show obfuscation and anti-VM/sandbox techniques, signaling evolving delivery tactics. #Bumblebee #IcedID #PindOS #Conti #BazarLoader #DeepInstinct

Keypoints

  • A new JavaScript-based dropper (PindOS) is delivering Bumblebee and IcedID, with Russian-language comments and a distinctive user-agent string.
  • The dropper’s workflow includes downloading payloads from two URLs, then executing them via rundll32.exe, with a fallback to PowerShell for execution.
  • Bumblebee’s flow is shifting from PowerShell-based first stages to a JavaScript dropper, marking a potential change in TTPs.
  • IcedID appears to be broadening from banking functionality to a loader role, aligning with the dropper’s use and evolution.
  • The delivered DLL payloads employ obfuscation, anti-debugging, and anti-VM/sandbox techniques, and use new exports compared to previous variants.
  • The campaign preserves low first-seen detection rates on the dropper but relies on consistent exports and other indicators to remain detectable.

MITRE Techniques

  • [T1059.007] Command and Scripting Interpreter: JavaScript – Adversaries may abuse various implementations of JavaScript for execution. ‘The possible switch to JavaScript instead of PowerShell marks a significant change in Bumblebee’s well-established TTPs.’
  • [T1218.001] System Binary Proxy Execution: Rundll32 – Adversaries may abuse rundll32.exe to proxy execution of malicious code. ‘download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Adversaries may use PowerShell to execute payloads. ‘If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe.’
  • [T1027] Obfuscated/Compressed Files and Information – Adversaries may obscure the contents of files to hinder analysis. ‘The dropper is obfuscated and includes very characteristic obfuscation (“elemXXX”).’
  • [T1497] Virtualization/Sandbox Evasion – Adversaries may attempt anti-debugging and anti-VM/sandbox techniques to evade analysis. ‘anti-debugging and anti-VM/sandbox features remain the same but with some additional “legitimate looking” strings…’
  • [T1105] Ingress Tool Transfer – Adversaries may download and stage payloads from remote servers. ‘download the payload initially from URL1 and URL2…’

Indicators of Compromise

  • [Network Artifact] User-Agent – PindOS
  • [URL] Bumblebee infection URLs – hxxps://qaswrahc.com/wp-content/out/mn[.]php, hxxp://tusaceitesesenciales.com/mn[.]php, hxxp://carwashdenham.com/mn[.]php, hxxps://intellectproactive.com/dist/out/mn[.]php
  • [SHA256] Bumblebee JS dropper – bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91, 07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1, 00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0, 15da5b0a65dd8135273124da0c6e52e017e3b54642f87571e82d2314aae97eec, 180a935383b39501c7bdf2745b3a334841f01a7df9d063fecca587b5cc3f5e7a
  • [SHA256] Bumblebee DLL payload – 24dd5c33b8a5136bdf29d0c07cf56ef0e33a285bb12696a8ff65e4065cb18359, 76c9780256e195901e1c09cb8a37fb5967f9f5b36564e380e7cf2558652f875b, 28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523, ac261ac26221505798c65c61a207f3951cc7dce2e1014409d8a765d85bfd91d4
  • [URL] IcedID infection URLs – hxxps://masar-alulaedu.com/wp-content/woocommerce/out/berr[.]php, hxxps://egyfruitcorner.com/wp-content/tareq/out/berr[.]php, hxxps://tech21africa.com/wp-content/uploads/out/berr[.]php, hxxps://www.posao-austrija.at/images/out/lim[.]php, hxxps://logisticavirtual.org/wp-content/out/lim[.]php, hxxps://adecoco.us/wp-content/out/lim[.]php, hxxps://acsdxb.net/wp-content/out/lim[.]php
  • [SHA256] IcedID JS dropper – 92506fe773db7472e7782dbb5403548323e65a9eb2e4c15f9ac65ee6c4bd908b, c84c84387f0b9e7bc575a008f36919448b4e6645e1f5d054e20b59be726ee814, 7355656f894ae26215f979b953c8fa237dc39af857a6b27754a93adb1823f3b6, 8f40ff286419eb4b0c4d15710dc552afb2c2a227a180f4b4f520d09b05724151
  • [SHA256] IcedID DLL payload – 9101975f7aca998da796fc15a63b36ab8aa0fe0aed0b186aaed06a3383d5f226, 4f0c9c6fc1287ef16f4683db90dd677054a1f834594494d61d765fa3f2e1352c, cb307d7fa6eaac6a975ad64ff966ff6b0b0fdd59109246c2f6f5e8d50a33e93c, 361b0157ef63d362fdd4399288f5f6a0e1536633dfb49c808a3590718c4d8f10, e71c9ac9ddd55b485e636840da150db5cd2791d0681123457bd40623acd8311c, 8ae3be9f09f5fc64ec898a4d6467b2f6e50eaaa26fc460a4f1a9b9566e97a9a7

Read more: https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint