Threat Research

BumbleBee Roasts Its Way to Domain Admin

Securonix

An April 2022 intrusion saw BumbleBee act as the initial access loader, enabling multi-stage payloads and outbound C2 communication within a Windows environment. The operation featured credential dumping, Kerberoasting, privilege escalation tooling, and Cobalt Strike-based command and control, with AnyDesk persistence and lateral movement that could have led to domain-wide ransomware if allowed to continue. #BumbleBee #EXOTICLILY #FIN12 #WIZARDSPIDER #DEV-0193 #CobaltStrike #AnyDesk #Kerberoasting

Keypoints

  • Delivery of the initial payload via a password-protected ISO with a document.lnk that executes namr.dll, the BumbleBee loader.
  • Cobalt Strike beacon wab.exe dropped on the beachhead and then injected into explorer.exe and rundll32.exe for further actions.
  • Remote access and persistence achieved through AnyDesk, with RDP used to move laterally to a server using a local Administrator account.
  • Active Directory and Windows discovery performed using AdFind, VulnRecon, and Seatbelt, with multiple credential and host discovery steps.
  • Credential dumping of LSASS using Procdump and comsvcs.dll MiniDump, followed by deletion of tools from hosts.
  • Kerberoasting via Invoke-Kerberoast to extract Kerberos tickets, including offline password cracking against service accounts.
  • Lateral movement and data collection via SMB/Windows Admin Shares, CreateServiceA remote service, and Cobalt Strike PsExec/jump, with two C2 servers observed.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – The intrusion likely arrived via an email with a link to download a password-protected ISO: β€œβ€¦ likely arrived via an email which included a link to download said zip file.”
  • [T1059.003] Windows Command Shell – Execution via command line: β€œC:WindowsSystem32cmd.exe /c start rundll32 namr.dll,IternalJob”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Loader executed via rundll32: β€œβ€¦ rundll32 namr.dll,IternalJob …”
  • [T1055] Process Injection – wab.exe injected into explorer.exe and rundll32.exe, enabling post-exploitation tasks.
  • [T1021.001] Remote Desktop Protocol – Lateral movement to a server using the local Administrator account: β€œβ€¦ used RDP to access a server using the local Administrator account.”
  • [T1219] Remote Access Software – AnyDesk used for persistence: β€œAnyDesk, which was the only observed persistence mechanism used during the intrusion.”
  • [T1082] System Information Discovery – Discovery commands executed by the beacon (whoami, ipconfig /all, systeminfo, etc.).
  • [T1047] Windows Management Instrumentation – WMI-based enumeration and execution: β€œβ€¦ executed by WMI”
  • [T1018] Remote System Discovery / System Network Configuration Discovery – Network/system discovery via commands and AdFind to identify targets.
  • [T1069.002] Domain Groups / Account Discovery – AdFind and group enumeration of Domain/Enterprise admins.
  • [T1558.003] Kerberos Kerberoasting – Invoke-Kerberoast to obtain Kerberos tickets for password cracking.
  • [T1003.001] Credential Dumping: LSASS – Procdump/ MiniDump used to dump LSASS memory.
  • [T1056] – (Privilege Escalation) GetSystem – β€œGetSystem” usage to elevate to SYSTEM.
  • [T1021.002] SMB/Windows Admin Shares – Remote services over RPC for lateral movement (e.g., CreateServiceA).
  • [T1570] Lateral Tool Transfer – Transfer of tools like AnyDesk and Procdump between hosts.
  • [T1059.001] PowerShell – PowerShell beacon download/execution in memory: β€œC:Windows… powershell.exe -nop -w hidden -c …”
  • [T1543.003] Create or Modify System Process: Windows Service – Remote service creation on a server/DC via RPC.

Indicators of Compromise

  • [IP] Network indicators – 142.91.3[.]109, 45.140.146[.]30 (Cobalt/BumbleBee beacons).
  • [IP] C2/HTTP traffic hosting – 104.243.33[.]50 (CS C2 hosting).
  • [Domain] Command and Control – fuvataren[.]com, dofixifa[.]co (CS C2s).
  • [Domain] Additional C2/domain references – dofixifa.com, fuvataren.com (CS config).
  • [File] document.lnk – LNK document used to trigger the loader.
  • [File] namr.dll – BumbleBee loader loaded from the hidden DLL.
  • [File] wab.exe – Cobalt Strike beacon dropped on the beachhead.
  • [File] procdump64.exe – LSASS dumping tool transferred and used remotely.
  • [File] VulnRecon.exe/.dll – Custom tool for privilege escalation enumeration.
  • [File] BC_invoice_Report_CORP_46.iso – Initial ISO payload.
  • [Hash] f856d7e7d485a2fc5b38faddd8c6ee5c – namr.dll (loader).
  • [Hash] c68e4d5eaae99d6f0a51eec48ace79a4fede3c09 – namr.dll (loader).
  • [Hash] c68437cc9ed6645726119c12fdcb33e7 – wab.exe (Cobalt Strike beacon).
  • [Hash] 5839b4013cf6e25568f13d3fc4120795 – VulnRecon.exe (privilege enumeration).
  • [Hash] 5226b7138f4dd1dbb9f6953bd75a320b – BC_invoice_Report_CORP_46.iso (initial payload).

Read more: https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/