Threat Research

BumbleBee: Round Two

TheDFIR

May 2022 intrusion used BumbleBee as the initial access vector to deploy Cobalt Strike and Meterpreter across the network. The actors delivered a hidden DLL via an ISO/LNK chain, then moved laterally with RDP/SMB and remote access tools before being evicted; they conducted extensive discovery and credential access along the way. #BumbleBee #CobaltStrike #Meterpreter #AnyDesk #tamirlan.dll #document.iso

Keypoints

  • The intrusion began with BumbleBee as the initial access vector, followed by deployment of Cobalt Strike beacon and Meterpreter on the network.
  • Delivery used an ISO containing a hidden DLL (tamirlan.dll) and a LNK to execute it, with execution invoked via rundll32.
  • Early discovery relied on Meterpreter and built-in Windows utilities to query domain controllers, AD trusts, domain admins, and network topology.
  • Persistence and lateral movement involved creating a new local admin user (sql_admin) and installing AnyDesk to enable remote access, with RDP and SMB used for movement and data access.
  • A second wave used AdFind via the beacon to enumerate AD objects; the actors then pivoted to backups and attempted Outlook Web Access exploration.
  • Credential access included a LSASS memory dump via procdump, followed by zip compression for exfiltration, with no significant exfil observed beyond C2 channels.

MITRE Techniques

  • [T1204] User Execution – The .lnk file was clicked to execute the BumbleBee payload: β€œWhen the .lnk was doubled clicked by the user, the BumbleBee malware tamirlan.dll was executed: C:WindowsSystem32rundll32.exe tamirlan.dll,EdHVntqdWt”
  • [T1218.011] Masquerading – The loader hid the DLL and used built-in Windows utilities to launch via WMI/COM; β€œthe .dll is hidden from the user unless they display hidden items in explorer”
  • [T1036] Local Account – A new local administrator user was created on a server to facilitate persistence on the machine. The user account was observed to be accessed via an AnyDesk session on the same machine.
  • [T1136.001] LSASS Memory – The actors dumped LSASS memory using procdump: C:programdata procdump64.exe -accepteula -ma lsass.exe C:programdatalsass.dmp
  • [T1560.001] Archive via Utility – The dumped LSASS data was archived with 7za: C:ProgramDatalsass.dmp ➝ C:Windowssystem32cmd.exe /C 7za.exe a -tzip -mx5 c:programdatalsass.zip c:programdatalsass.dmp
  • [T1569.002] Service Execution – AnyDesk was installed as a service to enable remote access: AnyDesk was installed as a service
  • [T1021.001] Remote Services (RDP) – Lateral movement via RDP to a server: The threat actor moved laterally via RDP to a server.
  • [T1021.002] Lateral Tool Transfer – SMB used to transfer tools laterally (e.g., procdump.exe, AnyDesk): SMB was used to transfer the various tools laterally, as needed in the environment, like procdump.exe and AnyDesk executables.
  • [T1071.001] Web Protocols – Command and Control over web protocols; C2 configuration shows HTTPS beacons and multiple C2 domains/IPs: beacontype: β€œHTTPS” … 3.85.198.66:443
  • [T1219] Remote Access Software – AnyDesk provided interactive desktop control for C2: AnyDesk was installed to facilitate interactive desktop command and control access to a server
  • [T1055] Process Injection – The loader injects into target processes using CreateRemoteThread: The malware used the win32 function CreateRemoteThread in order to execute code in rundll32.exe.
  • [T1047] WMI – The loader uses WMI/COM to spawn new processes, a technique to evade standard heuristics: β€œThe BumbleBee loader uses WMI to start new process by calling COM functions to create a new process.”
  • [T1016] System Network Configuration Discovery – Discovery phase included network commands (ipconfig, ping, nltest) to map Trusts and domain structure: C:Windowssystem32cmd.exe /C ipconfig /all ➝ C:Windowssystem32cmd.exe /C nltest /dclist: …

Indicators of Compromise

  • [IP] C2/Beacons – 154.56.0.221:443, 64.44.101.250:443, and other beacon IPs – example: 3.85.198.66:443
  • [Domain] C2 domain – fuvataren.com (and www.fuvataren.com)
  • [Domain] C2 domain – reconnected domains listed (e.g., stracke.lakin.windler.net) [contextual domain examples present in C2 blocks]
  • [Hash] Document/package hashes – 11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355, 123f96ff0a583d507439f79033ba4f5aa28cf43c5f2c093ac2445aaebdcfd31b
  • [File] document.iso, documents.lnk, tamirlan.dll – examples of dropped/used artifacts
  • [File] lsass.dmp, lsass.zip – credential dump and archive evidence
  • [File] 7za.exe – archiving utility used to compress LSASS dump
  • [Process] rundll32.exe, wabmig.exe, ImagingDevices.exe – processes involved in injection and foothold

Read more: https://thedfirreport.com/2022/09/26/bumblebee-round-two/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint