Threat Research

Bumblebee Malware from TransferXL URLs

Securonix

EXOTIC LILY is observed distributing Bumblebee malware through TransferXL by sharing ZIP archives that contain ISO disk images. The infection chain includes mounting the ISO, running a Windows shortcut that launches a hidden DLL via rundll32, followed by Bumblebee C2 activity and later Cobalt Strike traffic to additional infrastructure.

#Bumblebee #EXOTIC_LILY #TransferXL #CobaltStrike #Rundll32 #AmazonAWS

Keypoints

  • EXOTIC LILY uses TransferXL as a distribution channel to push Bumblebee via ISO images contained in a ZIP archive.
  • An associated email ([email protected]) is shown with the malicious TransferXL URL, linking the delivery to the attacker’s communications.
  • The delivered ISO includes a Windows shortcut and a hidden malware DLL; double-clicking the shortcut executes the DLL on the victim host.
  • Initial Bumblebee C2 traffic appears to 194.135.33.144 over port 443, followed by HTTPS traffic to an AWS host (ec2-3-144-143-242.us-east-2.compute.amazonaws.com).
  • Subsequent Cobalt Strike activity is observed on 23.106.215.123 using xenilik.com as the domain.
  • IOCs include TransferXL download URLs, associated emails and domains, file hashes, and filenames tied to the infection chain.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – “Malicious TransferXL URL delivering malware.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – “Run method: rundll32.exe spc.dll,JQhnMKwhpA.”
  • [T1105] Ingress Tool Transfer – “The downloaded zip archive contains an ISO disk image.”
  • [T1071.001] Web Protocols – “HTTPS traffic to an amazonAWS server” and subsequent C2 activity over HTTPS.

Indicators of Compromise

  • [URL] TransferXL download links – hxxps://www.transferxl[.]com/download/00ZNPDZqZwZ9m, hxxps://www.transferxl[.]com/download/00jwbtRXtsSsZX, and 3 more
  • [Email] Associated with malicious TransferXL URLs – andresbolivar@southerncompanygas[.]co, jhurris@wolsleyindustrialgroup[.]com, and 2 more
  • [Domain] Domains from the emails – southerncompanygas[.]co, wolsleyindustrialgroup[.]com, and 1 more
  • [SHA256] File hashes – 1ec8c7e21090fb4c667f40c8720388a89789c569169fe0e41ec81567df499aac, 24aa82e1a085412686af5d178810fc0d056c5b8167ae5b88973b33071aa14569, and 2 more
  • [File] Filenames associated with the malware – TransferXL-00jdMwft3vVZ7Q.zip, documents-2205210.iso, New Folder.lnk, spc.dll (and 0 more)
  • [IP] Command and Control – 194.135.33[.]144 (Bumblebee C2), 3.144.143[.]242 (AWS host), 23.106.215[.]123 (Cobalt Strike)
  • [Domain] Cobalt Strike domain – xenilik[.]com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint