Threat Research

Orion Threat Alert: Flight of the BumbleBee – Cynet

Securonix

Orion Threat Research Team uncovered BumbleBee, a new loader used by Initial Access Brokers to deploy campaigns and inject Cobalt Strike into victims’ memory. The operation leverages spoofed identities and ISO-based delivery via TransferXL to lure users, with potential progression toward ransomware in later stages. #BumbleBee #EXOTICLILY

Keypoints

  • The BumbleBee campaign centers on a custom loader used by different IAB groups to compromise victims’ environments and inject Cobalt Strike shellcodes in memory.
  • The delivery chain relies on spoofed company identities and legitimate public storage services to host and disseminate a malicious ISO image that contains the payload.
  • The execution flow includes LOLBins with rundll32, a scheduled task for persistence, and VBScript executed via the scheduled task, with the victim explicitly triggering the payload by mounting the ISO and clicking an LNK file.
  • EXOTIC LILY is named as a financially motivated actor behind BumbleBee, with observed collaboration with WIZARD SPIDER; the campaign is new and actively tracked by defenders.
  • The distribution targets predominantly US-based companies via a laddered chain: spear phishing email → URL link to TransferXL/WeTransfer etc. → zipped ISO → ISO containing LNK and BumbleBee payload.
  • In IR cases, BumbleBee injections are followed by discovery commands to map the network, data collection, and possible ransomware deployment in a subsequent stage; two 64-bit/32-bit payloads and C2 infrastructure are described in depth.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The BumbleBee payload was delivered via a spear phishing email that was sent from a spoofed email address. The email contains a URL link to the legitimate public storage service, TransferXL. ‘The BumbleBee payload was delivered via a spear phishing email that was sent from a spoofed email address. The email contains a URL link to the legitimate public storage service, TransferXL.’
  • [T1053.005] Scheduled Task – BumbleBee creates a scheduled task on the compromised host for persistence and executes a Visual Basic script via the scheduled task. ‘BumbleBee also creates a scheduled task on the compromised host for persistence and executes a Visual Basic script via the scheduled task.’
  • [T1059.005] VBScript – VBScript is used as part of LOLBin execution, enabling script-based payload actions. ‘…execution with LOLBins… rundll32, which allows threat actors to avoid defenses.’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – LNK executes the DLL via rundll32 command. ‘LNK executes the DLL via rundll32 command.’
  • [T1047] Windows Management Instrumentation – WMI-based execution of the VBS payload, in addition to scheduled task execution. ‘The VBS file that was executed via a scheduled task, was also executed through WMI.’
  • [T1497] Virtualization/Sandbox Evasion – BumbleBee employs anti-VM checks to detect sandboxes and virtualization environments. ‘In our labs, we observed that BumbleBee uses several anti-VM methods to avoid detection.’
  • [T1036] Masquerading – The LNK file is masqueraded (icon changed) to resemble a folder, tricking users into clicking it. ‘masquerading technique by setting the LNK file icon to be a folder icon in order to lure the victim to click on the LNK file.’
  • [T1055] Process Injection – The loader injects Cobalt Strike shellcode into processes (memory-only execution). ‘the BumbleBee DLL is copied… inject Cobalt Strike shellcode in memory.’
  • [T1069.001] Active Directory Discovery – AdFind is used to enumerate and map the victim’s network. ‘adfind.exe -gcb -sc trustdmp’ and related commands.’
  • [T1071.001] Web Protocols – After initial execution, BumbleBee communicates with C2 servers over network protocols; multiple IPs/ports observed. ‘The BumbleBee process… communicated with the Command-and-Control server (C2). We’ve seen several C2 servers…’
  • [T1564.001] Hidden Files and Directories – The DLL payload is marked Hidden to evade casual inspection. ‘Hidden attribute for the DLL’

Indicators of Compromise

  • [Hash] BumbleBee payload hashes – 88F5AE9691E6BCDD4065A420EAFAF3E3AA32C69605BF564A42FFD8ECD25C9920, 4a49e2f06ba48d3a88fdeb83fb8021f3d165535e8ea5319b16a7ebe4da9c0751, and 2 more hashes
  • [IP] C2 IPs – 23.82.19[.]208:443, 192.236.198[.]63:433, and 1 more IP
  • [Domain] C2/Cobalt Strike domains – hojimizeg[.]com, notixow[.]com, and 1 more
  • [File] ISO image and DLL artifacts – documents-04-106.iso, RapportGP.dll, and 2 more files

Read more: https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/