Two sentences summarizing the article. Bumblebee malware was distributed via trojanized installers for Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, using a malicious Google Ad chain and a compromised WordPress site to drive victims to fake download pages. It loads a PowerShell-based Bumblebee payload, uses reflective memory loading, and later deploys Cobalt Strike with remote tools, employing persistence and reconnaissance steps before potential ransomware deployment. #Bumblebee #CiscoAnyConnect #ChatGPT #Zoom #CitrixWorkspace #CobaltStrike
Keypoints
- Bumblebee malware is being distributed via trojanized installers for widely used software (Zoom, Cisco AnyConnect, ChatGPT, Citrix Workspace).
- Infection chains began with malicious Google Ads that redirected users to a fake download page hosted on a compromised WordPress site.
- The MSI installers contain renamed files (e.g., CiscoSetup.exe and cisco2.ps1) to masquerade as legitimate software components.
- The embedded PowerShell script reuses renamed functions from PowerSploit and loads a Bumblebee payload reflectively into memory.
- After infection, attackers moved laterally and deployed Cobalt Strike along with AnyDesk and DameWare; a WindowsSensor15 scheduled task served as persistence.
- Indicators of compromise include domains (appcisco.com, baveyek.com), numerous file hashes, and a long list of C2 IPs/domains associated with Bumblebee activity.
MITRE Techniques
- [T1189] Drive-by Compromise β Malicious Google Ads and a compromised WordPress site redirected users to a fake download page. Quote: βan infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site.β
- [T1036] Masquerading β Files inside the MSI installer are renamed to appear legitimate (CiscoSetup.exe) or as a PowerShell script (cisco2.ps1). Quote: βFILE_InstallMeCisco (renamed to CiscoSetup.exe) is a legitimate installer for the Cisco AnyConnect VPN Secure Mobility Client application.β
- [T1059.001] PowerShell β The PowerShell script contains renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script. Quote: βThe PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script.β
- [T1620] Reflective Loading β Bumblebee payload is loaded reflectively into memory by the PowerShell script. Quote: βand a Bumblebee malware payload that it reflectively loads into memory.β
- [T1053.005] Scheduled Task β WindowsSensor15 used as a persistence mechanism for Cobalt Strike. Quote: βa Scheduled Task named WindowsSensor15 as a persistence mechanism for Cobalt Strike.β
- [T1021] Remote Services β Attackers deploy Cobalt Strike along with AnyDesk and DameWare for lateral movement using remote tools. Quote: βdeploying Cobalt Strike as well as the legitimate AnyDesk and DameWare remote access tools.β
- [T1558.003] Kerberoasting β pshashes.txt likely facilitates Kerberoasting attacks. Quote: βpshashes.txt, which is likely a script for conducting Kerberoasting attacks.β
- [T1069.002] Active Directory Discovery β A batch script dumps contents of the Active Directory database. Quote: βa batch script to dump the contents of the Active Directory database.β
- [T1046] Network Service Scanning β A network scanning utility (netscanold.exe) is used for discovery. Quote: βa network scanning utility (netscanold.exe).β
Indicators of Compromise
- [Domain name] appcisco.com β Bumblebee malware staging server
- [Domain name] baveyek.com β Cobalt Strike C2 server
- [MD5 hash] e4a5383ac32d5642eaf2c7406a0f1c0f β MSI file (cisco-anyconnect-4_9_0195.msi) containing Bumblebee malware
- [MD5 hash] 522c0b0d445c62cdeb0a80bcce645d57 β MSI file (ProductCitrix.msi) containing Bumblebee malware
- [SHA1 hash] 3e5637d253c40aefdb0465df15bc057e β MSI file (cisco-anyconnect-4_9_0195.msi) containing Bumblebee malware
- [SHA1 hash] 5dad52c67d114f7a3a5a1e7ae5b15b58 β MSI file (ProductCitrix.msi) containing Bumblebee malware
- [SHA256 hash] d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f β MSI file (cisco-anyconnect-4_9_0195.msi) containing Bumblebee malware
- [SHA256 hash] 9982330ae990386cd74625f0eaa26ae6 β MSI file (ChatGPT_Setup.msi) containing Bumblebee malware
- [IP address] 173.44.141.131 β C2 server associated with Bumblebee activity (February 2023)
- [Domain name] 23.82.140.131 β Hosting Cobalt Strike C2 server (February 2023)
- [IP address:port] 172.93.193.3:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 23.81.246.22:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 95.168.191.134:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 104.168.175.78:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 172.93.193.46:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 157.254.194.104:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 37.28.157.29:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 23.106.124.23:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 194.135.33.182:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 54.38.139.94:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 192.119.65.175:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 107.189.8.58:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 205.185.114.241:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 104.168.171.159:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 103.144.139.159:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 91.206.178.204:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 198.98.58.184:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 172.241.27.120:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 23.106.223.197:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 23.108.57.83:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 54.37.131.232:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 23.82.128.11:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 160.20.147.91:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address:port] 103.175.16.10:443 β C2 server extracted from Bumblebee configuration data (February 2023)
- [IP address] 45.61.187.225 β C2 server extracted from Bumblebee configuration data (March 2023)
- [IP address] 91.206.178.68 β C2 server extracted from Bumblebee configuration data (March 2023)
- [IP address] 193.109.120.252 β C2 server extracted from Bumblebee configuration data (March 2023)
Read more: https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads