Threat Research

TA578 using thread-hijacked emails to push ISO files for Bumblebee malware

Securonix

TA578, identified by Proofpoint as the threat actor behind the Contact Forms campaign, is pushing ISO files for Bumblebee malware through thread-hijacked emails. The analysis compares two May 2022 infection chains and notes similarities to the Contact Forms operation, including malicious storage.googleapis.com hosting and password-protected ZIP attachments delivering the malicious ISO. #TA578 #Bumblebee #StolenImagesEvidence #ContactFormsCampaign #storage.googleapis #appspot.com

Keypoints

  • TA578 is the actor behind the Contact Forms campaign and is now distributing Bumblebee ISO files via thread-hijacked emails.
  • Delivery methods include links to storage.googleapis.com URLs and password-protected ZIP attachments that deliver an ISO.
  • Two May 2022 samples (document.iso and invoice_pdf_49.iso) show the same attack chain and payload components used to install Bumblebee.
  • The ISO contents include a Windows shortcut (documents.lnk) and a Bumblebee 64-bit DLL (ramest.dll) with a shared imphash, indicating related binaries.
  • Pages hosting the ISO deliveries resemble the Contact Forms campaign’s Stolen Images Evidence and document download pages on storage.googleapis.com, often ending with logo.jpg references.
  • TA578 may also push IcedID (Bokbot) malware via the same thread-hijacked email tactic; testing in AD environments sometimes reveals Cobalt Strike, highlighting broader risk.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Thread-hijacked emails deliver an ISO via a malicious storage.googleapis.com link. ‘TA578 thread-hijacked email with malicious storage.googleapis.com link.’
  • [T1566.001] Spearphishing Attachment – Delivers the malicious ISO through a password-protected ZIP attachment. ‘password-protected zip attachment.’
  • [T1105] Ingress Tool Transfer – Payload (malicious ISO) downloaded from storage.googleapis.com (document download page). ‘delivers malicious ISO file for Bumblebee malware.’

Indicators of Compromise

  • [SHA256] 330b01256efe185fc3846b6b1903f61e1582b5a5127b386d0542d7a49894d0c2 – context: document.iso (2,883,584 bytes)
  • [SHA256] e9084037805a918e00ac406cf99d7224c6e63f72eca3babc014b34863fb81949 – context: invoice_pdf_49.iso (2,883,584 bytes)
  • [SHA256] 22e033c76bb1070953325f58caeeb5c346eca830033ffa7238fb1e4196b8a1b9 – context: documents.lnk (1,612 bytes)
  • [SHA256] e6357f7383b160810ad0abb5a73cfc13a17f4b8ea66d6d1c7117dbcbcf1e9e0f – context: ramest.dll (document.iso)
  • [SHA256] f398740233f7821184618c6c1b41bc7f41da5f2dbde75bbd2f06fc1db70f9130 – context: ramest.dll (invoice_pdf_49.iso)
  • [URL] baronrtal.com/img/logo.jpg – context: malicious URL used in the document delivery chain
  • [URL] bunadist.com/img/logo.jpg – context: another malicious URL used in the delivery chain
  • [URL] storage.googleapis.com/pz3ksj5t45tg4t.appspot.com/q/pub/file/0/filejBWdkst6Ua3s.html – context: ‘document’ download page
  • [URL] storage.googleapis.com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fWpa4HT4ck6v6.html?l=827470894993112750 – context: ‘Stolen Images Evidence’ page
  • [URL] storage.googleapis.com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fWpa4HT4ck6v6.html?h= – context: ‘Stolen Images Evidence’ page variant
  • [Domain] storage.googleapis.com – context: hosting pages for compromised downloads
  • [Domain] appspot.com – context: used within the hosting URLs

Read more: https://isc.sans.edu/diary/rss/28636

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint