Check Point researchers detail Bumblebee loader’s rapid evolution, shifting delivery formats (ISO and VHD) and its move toward broader victim reach, plus how it loads encrypted configurations and communicates with its C2. They also note payload differences by victim type (Vidar/stealers on workstations vs Cobalt Strike, Sliver, or Meterpreter on organizations) and the use of a custom packer to enable flexible yet identifiable activity. #Bumblebee #CobaltStrike #Sliver #Vidar #Meterpreter #PowerShell
Keypoints
- Bumblebee is in constant evolution, including radical format changes from ISO to VHD and back between early and mid-2022.
- Around June 2022, changes in C2/server behavior suggest a shift toward maximizing victim reach rather than extensive malware testing.
- The group_name field is not a reliable clustering indicator; samples with different group_name often show similar behavior, implying a single actor operating many group_names, while encryption keys better reflect clustering.
- Payloads vary by victim: standalone machines tend toward banking trojans or info stealers, while organizational networks receive more advanced post-exploitation tools like Cobalt Strike.
- Bumblebee loads four buffers from its .data section, including an 80-byte RC4 key and a 1024-byte block, all decrypted with RC4 to form the configuration and C2 data.
- Commands such as DEX, DIJ, and SHI download and execute payloads, with domain-joined networks often receiving DIJ/SHI and workgroup machines receiving DEX-based payloads.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – Bumblebee decrypts configuration buffers with RC4 and uses an RC4-based mechanism to process in-memory data. Quote: “…the first 80-byte buffer… stores an RC4 ascii key (much shorter in all cases we’ve observed). The other three pointers point to two 80-byte sections and a 1024-byte section, all of which contain data that is then decrypted using the above-mentioned RC4 key.”
- [T1071.001] Web Protocols – C2 communication uses JSON payloads, with encryption and periodic check-ins. Quote: “This string is encrypted using the same RC4 key used earlier for the configuration, and repeatedly sent to its C2 server with random delays between 25 seconds and 3 minutes…”
- [T1105] Ingress Tool Transfer – The malware downloads and executes additional payloads from the C2 server via multiple commands. Quote: “to deploy a threat, of the 5 commands supported by bumblebee, 3 lead to code being downloaded from the C2 server and executed.”
- [T1059.001] Command and Scripting Interpreter – PowerShell is used to download/decrypt the packed DLL when the loader delivered via VHD, showing scripting interpreter usage. Quote: “executed PowerShell downloading and decrypting the packed DLL itself (packed with a very different packer).”
- [T1497] Virtualization/Sandbox Evasion – Bumblebee performs checks to avoid sandboxing or analyst environments. Quote: “Bumblebee will perform checks to avoid being executed in sandboxing or analyst environments.”
Indicators of Compromise
- [IP] C2 servers – 104.168.201.219, 142.11.234.230
- [IP] Additional C2 fronts listed – 145.239.30.26, 146.19.173.202
- [Hash] Sample Bumblebee binaries – c70413851599bbcd9df3ce34cc356b66d10a5cbb2da97b488c1b68894c60ea69, 14f04302df7fa49d138c876705303d6991083fd84c59e8a618d6933d50905c61
Read more: https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/