BumbleBee a New Modular Backdoor Evolved From BookWorm

MITRE Techniques

• [T1574.002] Hijack Execution Flow: DLL Side-Loading – The loader DLL patches the parent entry point to run malicious code. “Notably, as XecureIO_v20.dll is loaded by XcrSvr.exe, it will check if the parent process is “XcrSvr.exe.” If so, it will patch the entry point of XcrSvr.exe with a long jump instruction to direct execution flow to the malicious code.”
• [T1070.004] Indicator Removal on Host: File Deletion – The installer component drops and then deletes the original SFX payload to avoid analysis. “Delete the original SFX file.”
• [T1055] Process Injection – XecureIO_v20.dll hooks its parent process’ entry point to route execution to malicious code. “XecureIO_v20.dll hooks its parent process’ entry point”
• [T1480.001] Execution Guardrails: Environmental Keying – The payload is decrypted using machine-specific data (ProductID from registry) as the key. “Using the information on the compromised machine as a key to decrypt the encrypted payload”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Abuse registry run key for persistence on boot. “Abuse registry run key to repeatedly execute the malware once system boot”
• [T1037.001] Boot or Logon Initialization Scripts: Logon Script (Windows) – Persistence through logon scripts. “Boot or Logon Initialization Scripts: Logon Script (Windows)”
• [T1548.003] Create or Modify System Process: Windows Service – Create Windows services to repeatedly execute payloads. “Create Windows services to repeatedly execute malicious payloads”
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Bypass UAC via loaded components. “bpu.dll (used to bypass UAC)”
• [T1056.001] Input Capture: Keylogging – Keylogger component records keystrokes and clipboard content. “Keylog.dll … monitors the keystrokes and clipboard content”
• [T1592] Gather Victim Host Information – The server collects machine details (name, IP, location, OS, CPU, memory). “computer name, external IP address, geographic location, OS, CPU, and memory”
• [T1071.001] Application Layer Protocol: Web Protocols – Communications occur over HTTP with a beacon to the C2. “Communicates over the HTTP protocol” and “POST request … /update”
• [T1090] Proxy – Reverse proxy to expose a local server behind NAT/firewall. “Reverse proxy to help expose a local server behind a NAT or firewall to the internet”
• [T1573.001] Encrypted Channel: Symmetric Cryptography – C2 traffic encrypted with RC4 and compressed with LZO. “encrypted between server and client applications using the RC4 and compressed by LZO”
• [T1132.001] Data Encoding: Standard Encoding – Data is encrypted/encoded during transit (RC4) and using a CRC for integrity checks. “CRC32 checksum with reversed-presentation mode to verify the received data” and “encrypted … RC4”
• [T1587.001] Develop Capabilities: Malware – The platform’s modular design enables ongoing capability development. “Develop Capabilities: Malware”