Bumblebee is a sophisticated downloader malware distributed through phishing and SEO poisoning campaigns, recently targeting Bing users searching for legitimate software downloads. This campaign uses typosquatted domains and Trojanized installers to deliver Bumblebee, impacting software distribution channels and developer environments. #Bumblebee #WinMTR #MilestoneXProtect
Keypoints
- Bumblebee malware was first identified in 2022 and is linked to ransomware threat actors, including former Conti affiliates.
- A recent campaign targets Bing search engine users by poisoning SEO results to promote fake download sites for WinMTR and Milestone XProtect.
- Malicious sites use typosquatting domains closely mimicking legitimate software websites to deceive victims.
- The Trojanized MSI installers delivered connect to Bumblebee command-and-control (C2) servers, enabling malware deployment after user execution.
- The malware uses legitimate Windows processes (e.g., msiexec.exe) and DLL side-loading techniques to evade detection.
- The campaign infrastructure is hosted on a common server, with multiple C2 domains registered using the ‘.life’ TLD following a naming pattern.
- This approach highlights a shift from targeting common software like Zoom to more niche developer tools, posing risks to privileged development environments.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – The threat actor registered typosquatted domains similar to legitimate software sites to host malicious payloads. (“legitimate appearing sites to host the malicious downloader and registered domains which were similar to the original one”)
- [T1608.006] Stage Capabilities: SEO Poisoning – SEO poisoning was used to position malicious download sites at top Bing search results for targeted software queries. (“the campaign appears to target users of the Bing search engine, relying on SEO poisoning techniques”)
- [T1608.001] Stage Capabilities: Upload Malware – Malicious MSI installers were hosted on external domains to deliver Bumblebee. (“both sites reference an external domain called ‘software-server[.]online’, which hosts the malicious MSI files”)
- [T1189] Initial Access: Drive-by Compromise – Users download and execute Trojanized installers from fake sites, enabling initial compromise. (“Once executed, the MSI file delivers Bumblebee malware to victims”)
- [T1204] Execution: User Execution – Execution of malicious MSI installers requires user action. (“The Trojanized installer which delivers the Bumblebee malware to victims once executed”)
- [T1036.005] Masquerading: Match Legitimate Name or Location – Executables and DLLs masquerade as legitimate files, including an expired signed binary. (“icardagt.exe appears to be a legitimate Windows binary; however, the certificate used to sign it expired”)
- [T1218.007] System Binary Proxy Execution via msiexec – The malware is installed using the legitimate msiexec.exe system binary to bypass restrictions. (“The installer is then installed using msiexec.exe”)
- [T1574.001] DLL Side-Loading – The malicious DLL ‘version.dll’ is side-loaded by the legitimate executable to execute malware code. (“a malicious DLL titled version.dll is loaded by icardagt.exe”)
Indicators of Compromise
- [Phishing Domains] Fake download sites – winmtr[.]org, milestonesys[.]org
- [Download Domain] Host of malicious MSI files – software-server[.]online
- [C2 Domains] Bumblebee command and control servers – 19ak90ckxyjxc[.]life, o2u1xbm9xoq4p[.]life, and over 40 similar .life domains
- [File Hashes] Malicious DLL version.dll – a67fa1a060c07934c3de8612aaa0ebc2, d1c5b38d3d91f925b16d616c1c9d3e05542f025d
- [File Hashes] Trojanized WinMTR MSI installers – 28c0caed1c9c242f60c8e0884ccbf976, 31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
- [File Hashes] Trojanized Milestone_XProtect MSI installers – ea966dbfdd3f777727c827719e668f94, c6d5d2fff2cc422aca6dd5538f8351b8f2107a07a0df1f3ad8d69b050951ca1e