Threat Research

BumbleBee Zeros in on Meterpreter

TheDFIR

A May 2022 intrusion used BumbleBee as the initial access vector via a Contact Forms campaign, delivering an ISO containing an LNK and a DLL to load Meterpreter and Cobalt Strike Beacons. The attackers conducted multi-stage post-exploitation including UAC bypass, credential dumping, Zerologon exploitation, and SMB lateral movement, culminating in domain controller disruption before being evicted. #BumbleBee #Meterpreter #CobaltStrike #ZeroLogon #DomainController

Keypoints

  • The intrusion began with a contact form campaign that redirected victims to a Google storage site, leading to a downloaded ISO containing a LNK and a DLL that executed BumbleBee via Rundll32.
  • Post-exploitation involved loading Meterpreter and then dropping/exec’ing a Cobalt Strike Beacon DLL, with process injection into ImagingDevices.exe and later svchost.exe.
  • UAC bypass attempts occurred (WSReset and DelegateExecute), with the WSReset method eventually succeeding to elevate to SYSTEM before spawning a Beacon DLL.
  • Credential access involved LSASS dumping (ProcDump64) and reg.exe-based hive dumps (SAM, SECURITY, SYSTEM), followed by discovery using AdFind, nltest, net, and systeminfo.
  • Lateral movement leveraged SMB to copy and execute Cobalt Strike DLLs (n23.dll) via services and remote SMB transfers; Zerologon was leveraged to compromise the domain controller, followed by Pass the Hash to operate as a Domain Admin.
  • Defense evasion included extensive process injection into legitimate Windows processes and the use of named pipes for Cobalt Strike communications; artifacts were deleted to remove traces.
  • Impact included a broken Domain Controller and authentication failures across the domain, with the threat actors evicted after ~19 hours of activity.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The intrusion began with a contact form on a website, enticing the user to download malicious files. “The intrusion in this case began with a link to a google domain, storage.googleapis.com.”
  • [T1218.011] Rundll32 – LNK loads the BumbleBee DLL via Rundll32 execution. “When the LNK is double-clicked, the BumbleBee DLL is executed via rundll32.”
  • [T1059.003] Windows Command Shell – The LNK payload executes via a Windows command shell call. “cmd.exe /c start rundll32.exe mkl2n.dll,kXlNkCKgFC”
  • [T1055] Process Injection – ImagingDevices.exe injects into svchost.exe using NtAllocateVirtualMemoryRemoteApiCall. “ImagingDevices.exe injection into ‘svchost.exe -k UnistackSvcGroup -s WpnUserService’ using NtAllocateVirtualMemoryRemoteApiCall.”
  • [T1003.001] LSASS Memory – Credential dumping from LSASS using procdump64. “procdump64.exe -accepteula -ma lsass.exe C:ProgramDatalsass.dmp”
  • [T1047] Windows Management Instrumentation – Discovery via WMI-based tooling (WmiPrivse) and system enumeration observed in execution flow. “ImagingDevices.exe was launched via WmiPrivse.exe and a Meterpreter agent was injected.”
  • [T1068] Exploitation for Privilege Escalation – Zerologon exploit against the domain controller. “launched an exploit against the primary domain controller targeting the Zerologon (CVE 2020 1472) vulnerability.”
  • [T1550.002] Pass the Hash – Using a compromised credential to operate as a Domain Admin. “Pass the Hash to begin working in the context of a user who was a member of the Domain Admins group.”
  • [T1135] Network Share Discovery – Invoke-Sharefinder used to identify shares. “Invoke-Sharefinder was executed with the output being written to disk.”
  • [T1569.002] Service Execution – Cobalt Strike beacon DLLs are written and executed via a service. “a Cobalt Strike Beacon DLL was written over SMB to another Domain Controller and executed via a service.”
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement over SMB to transfer DLLs to C$ProgramData. “Lateral movement was then performed over SMB, to transfer a Cobalt Strike Beacon DLL’s to other workstation’s C$ProgramData.”
  • [T1071.001] Web Protocols – C2 communications over HTTPS with multiple C2 servers. “Web Protocols – TLS over HTTPS (Beacon Type 8 (HTTPS)), C2 Server Configs with 443.”

Indicators of Compromise

  • [Network] – Victim communications and C2 endpoints: 45.153.243.93:443, 213.232.235.199:443; Cobalt Strike domains/hosts: cevogesu.com at 172.93.201.12:443, titojukus.com at 23.106.215.100:443; Meterpreter host: ec2-3-16-159-37.us-east-2.compute.amazonaws.com at 3.16.159.37:80 and 3.16.159.37:44
  • [Domains] – cevogesu.com, titojukus.com, hackett.llc.com
  • [Files] – documents.lnk, mkl2n.dll, n23.dll, StolenImages_Evidence.iso, wSaAHJzLLT.exe
  • [Hashes] – 3c600328e1085dc73d672d068f3056e79e66bec7020be6ae907dd541201cd167, f7bfde050c81d47d79febdb170f307f447e76253715859727beff889d2a91694

Read more: https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint