Cyble – Bumblebee Returns With New Infection Technique

MITRE Techniques

• [T1566] Phishing – The initial infection starts with a spam email that has a password-protected attachment that contains a .VHD (Virtual Hard Disk) extension file. ‘The initial infection starts with a spam email that has a password-protected attachment that contains a .VHD (Virtual Hard Disk) extension file.’
• [T1204] User Execution – The LNK shortcut file has the parameters to execute the file “imagedata.ps1”, which further loads the Bumblebee payload in the memory of the PowerShell. ‘The LNK shortcut file has the parameters to execute the file “imagedata.ps1”, which further loads the Bumblebee payload in the memory of the PowerShell.’
• [T1059] PowerShell – First Stage PowerShell Loader executes the payload via PowerShell. ‘C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ep bypass -file imagedata.ps1’
• [T1497] Virtualization/Sandbox Evasion – The loader hides execution to evade detection. ‘uses an alternate command, ShowWindow, to evade detection by Anti-virus scanners.’
• [T1027] Obfuscated Files or Information – The script obfuscates commands and concatenates strings; obfuscated Base64 streams are decoded later. ‘The PowerShell script contains strings that are split into multiple lines and concatenated later for execution… obfuscated Base64 encoded streams.’
• [T1518] Security Software Discovery – The malware accounts for anti-analysis and evasion techniques against security software. ‘to evade detection by Anti-virus scanners… ShowWindow’
• [T1082] System Information Discovery – The second stage collects system information during execution. ‘System Information Discovery’ (referenced in the MITRE mapping).
• [T1012] Query Registry – The malware queries registry to gather environment data. ‘Query Registry’ (referenced in the MITRE mapping).
• [T1055] Process Injection – The final DLL is injected into the PowerShell process memory via reflective loading. ‘The image below shows the code similarities between the second stage PowerShell script present in the memory of “PowerShell.exe” and the Invoke-ReflectivePEInjection code…’; ‘The DLL payload injected into the memory of Powershell process by using the Invoke-ReflectivePEInjection function.’
• [T1574] DLL Side-Loading – The embedded DLL is loaded into memory and executed within the PowerShell process. ‘reflectively loading the DLL into the PowerShell Process…’
• [T1027] Obfuscated/Encoded Data – The second stage uses obfuscated/encoded data streams and Base64 decoding before execution. ‘Obfuscated Base64 encoded streams’
• [T1018] Security Software Discovery (clarified in context as Security Software Discovery) – ‘Security Software Discovery’ appears in context of anti-analysis measures.