Threat Research

Cyble – Bumblebee Loader On The Rise

Securonix

Bumblebee is a sophisticated loader that replaces BazarLoader and delivers frameworks like Cobalt Strike, Shellcode, Sliver, and Meterpreter, while also dropping other malware such as ransomware. It is distributed via spear-phishing ISO downloads, employs extensive anti-analysis tricks, and uses techniques like DLL injection and C2 beacons to persist and fetch payloads. #Bumblebee #BazarLoader #ContiRansomware #CobaltStrike #Proofpoint #CybleResearchLabs

Keypoints

  • Bumblebee acts as a downloader replacing BazarLoader and can deliver Cobalt Strike and other attack tools.
  • Infections rise via spam email carrying a link to an ISO file that drops the Bumblebee payload.
  • The ISO contents can include Attachments.lnk, Attachments.dat, New Folder.LNK, 7z.exe, arch.7z, and a 64‑bit arch.dll loader.
  • Bumblebee uses rundll32.exe, PowerShell, and other commands to execute payloads and load modules.
  • Defensive evasion includes sandbox/VM checks, hard-coded sandbox usernames, and anti-VM techniques (GetProcAddress/Wine) to avoid analysis.
  • Persistence and payload delivery rely on scheduled tasks, DLL injection via APC, and downloading additional payloads (e.g., wab.exe).
  • Cobalt Strike traffic is observed as part of C2 communications, with WMI data collection and beacon-like behavior.

MITRE Techniques

  • [T1566] Phishing – The infection starts via spam email. “The Bumblebee infection starts through spam email.”
  • [T1190] Exploit Public-Facing Application – Spear-phishing email contains a hyperlink to download the ISO file and uses OneDrive for delivery. “The HTML attachment contains a link that downloads the ISO file from Microsoft OneDrive.”
  • [T1059] Command and Scripting Interpreter – The loader uses command-line and scripting to run payloads (rundll32, PowerShell, etc.). “Target command line: cmd.exe /c start /wait … rundll32.exe Attachments.dat,ProcessLoad”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks including sandbox processes and environment checks. “The malware terminates its execution if it identifies any of these processes running on the victim’s machine.” “GetProcAddress/Sandbox detection”
  • [T1053] Scheduled Task/Job – Persistence via scheduled tasks and a VBS script to load the DLL. “creating a VBS script that loads the malicious DLL using a scheduled task.”
  • [T1012] Query Registry – Checks registry keys related to Virtual Machine software. “Queries registry keys related to Virtual Machine-related software”
  • [T1082] System Information Discovery – Uses WMI to collect system details before exfiltration. “The malware uses WMI queries to collect details such as system details, adapter details, etc.”
  • [T1552] Unsecured Credentials – Credential access is listed as a tactic in the mapping. “Unsecured Credentials”
  • [T1021] Remote Services – Lateral movement capability cited in the mapping. “Remote Services”
  • [T1496] Resource Hijacking – Impact/cleanup actions and resource-related manipulation cited in the mapping. “Resource Hijacking”

Indicators of Compromise

  • [Hashes] Analysis hashes – 7092d2c4b041db8009962e865d6c5cd7, 11838141f869e74225be8bd0d4c866cb46ef0248, and 7 more hashes
  • [File Names] Files and payloads – New-Folder-00519.img, 7z.exe, arch.7z, New Folder.LNK, arch.dll, wab.exe, and 5 more items
  • [IPs] C2 communications – 23.254.229.131, 79.110.52.71, 51.75.62.99, 23.106.215.123

Read more: https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/