Projector Libra (EXOTIC LILY) distributes Bumblebee via email campaigns that use file-sharing services to deliver malware, replacing the previous loader BazarLoader. The campaign chains ISO images with Windows shortcuts to execute Bumblebee, often followed by Cobalt Strike and potential ransomware deployment; this overview highlights the attack flow and defenses. Hashtags: #Bumblebee #ProjectorLibra #EXOTICLILY #TransferXL #CobaltStrike #Conti #Diavol #BazarLoader
Keypoints
- Bumblebee replaced BazarLoader in 2022 and is distributed by Projector Libra/EXOTIC LILY via file-sharing services after direct email outreach.
- Projector Libra conducts targeted email exchanges to establish correspondence before delivering malware through a file-sharing link (TransferXL).
- Infections use ISO images containing Windows shortcuts (Attachments.lnk) that execute a PowerShell command to run 7za.exe, which extracts Bumblebee from a password-protected archive.
- Post-infection activity commonly includes Cobalt Strike in the AD environment, enabling mapping of the victim’s network and potential lateral movement leading to ransomware like Conti or Diavol.
- All observed Bumblebee traffic is HTTPS, with C2 and related activity shown to use IPs/Domains such as 54.38.139.20 and 45.153.243.142 / fuvataren.com.
- Explicit IOCs include SHA-256 hashes, file names (SOW_2.iso, Attachments.lnk, 7za.exe, archive.7z, 19a.dll) and the TransferXL download URL used in the campaign.
MITRE Techniques
- [T1566.003] Spearphishing via Service – The victim then receives an email generated by the file sharing service. “The victim then receives an email generated by the file sharing service.”
- [T1204.002] User Execution: Malicious File – Attachments.lnk executes a PowerShell command to run a copy of the 7-Zip standalone console file named 7za.exe. “Attachments.lnk executes a PowerShell command to run a copy of the 7-Zip standalone console file named 7za.exe.”
- [T1059.001] PowerShell – PowerShell command to run a copy of the 7-Zip standalone console file named 7za.exe. “Attachments.lnk executes a PowerShell command to run a copy of the 7-Zip standalone console file named 7za.exe.”
- [T1027.002] Obfuscated/Compressed Files and Information – The malware uses a password-protected 7-Zip archive to conceal binaries. “password-protected 7-Zip archive (.7Z file).”
- [T1218.011] Signed Binary Proxy Execution: Rundll32 – The Bumblebee DLL is executed using rundll32 and oxgdXPSGPw as the EntryPoint. “The Bumblebee DLL is executed using rundll32 and oxgdXPSGPw as the EntryPoint.”
- [T1071.001] Web Protocols – Bumblebee C2 traffic runs over HTTPS. “Traffic generated by this infection is all HTTPS.” and “Bumblebee C2 traffic on 54.38.139[.]20:443.”
Indicators of Compromise
- [SHA256] Malicious ZIP archive downloaded from TransferXL URL – 58b9a5202a3cc96e86e24cd3c4b797d2efbf7d6b52461eef89b045aa1ff6c6ae, https://www.transferxl[.]com/download/00jJFzX0NZqb7p?utm_source=downloadmail&utm_medium=e-mail
- [SHA256] ISO image extracted from the above ZIP – 9be296fc9b23ad6aed19934123db9c3a2406d544156b7768374e0f9a75eb1549
- [SHA256] Contents of the ISO image – a10291506b884327307ae6d97dd6c043e9f2b6283ca3889dc2f5936fb2357862 (Attachments.lnk) and related artifacts
- [SHA256] Attachments.lnk – c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
- [SHA256] 7za.exe – e62b9513784ae339351de089dd356742aa1c95971ad8c0cf126f4e72131df96e
- [SHA256] archive.7z – 024d048f8ce81e8784215dc6cf0e170b02307d9e8624083efdfccaf3e269a0f2
- [SHA256] 19a.dll – (C:ProgramData19a.dll) – 64-bit Bumblebee DLL extracted from archive
- [IP] 54.38.139.20:443 – Bumblebee C2 HTTPS traffic
- [IP] 45.153.243.142:443 – Cobalt Strike C2 traffic to fuvataren.com
- [Domain] fuvataren.com – Cobalt Strike domain observed in traffic
- [URL] TransferXL download URL – https://www.transferxl.com/download/00jJFzX0NZqb7p?utm_source=downloadmail&utm_medium=e-mail
Read more: https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/