Authored by: Nikolaos Totosis, Nikolaos Pantazopoulos and Mike Stokkel

Executive summary

BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. The key points are:

  • BUMBLEBEE is statically linked with the open-source libraries OpenSSL 1.1.0f, Boost (version 1.68). In addition, it is compiled using Visual Studio 2015.
  • BUMBLEBEE uses a set of anti-analysis techniques. These are taken directly from the open-source project [1].
  • BUMBLEBEE has Rabbort.DLL embedded, using it for process injection.
  • BUMBLEBEE has been observed to download and execute different malicious payloads such as Cobalt Strike beacons.

Introduction

In March 2022, Google’s Threat Analysis Group [2] published about a malware strain linked to Conti’s Initial Access Broker, known as BUMBLEBEE. BUMBLEBEE uses a comparable way of distribution that is overlapping with the typical BazarISO campaigns.

In the last months BUMBLEBEE, would use three different distribution methods:

  • Distribution via ISO files, which are created either with StarBurn ISO or PowerISO software, and are bundled along with a LNK file and the initial payload.
  • Distribution via OneDrive links.
  • Email thread hijacking with password protected ZIP

BUMBLEBEE is currently under heavy development and has seen some small changes in the last few weeks. For example, earlier samples of BUMBLEBEE used the user-agent ‘bumblebee’ and no encryption was applied to the network data. However, this functionality has changed, and recent samples use a hardcoded key as user-agent which is also acting as the RC4 key used for the entire network communication process.

Technical analysis

Most of the identified samples are protected with what appears to be a private crypter and has only been used for BUMBLEBEE binaries so far. This crypter uses an export function with name SetPath and has not implemented any obfuscation method yet (e.g. strings encryption).

The BUMBLEBEE payload starts off by performing a series of anti-analysis checks, which are taken directly from the open source Khasar project[1]. After these checks passed, BUMBLEBEE proceeds with the command-and-control communication to receive tasks to execute.

Network communication

BUMBLEBEE’s implemented network communication procedure is quite simple and straightforward. First, the loader picks an (command-and-control) IP address and sends a HTTPS GET request, which includes the following information in a JSON format (encrypted with RC4):

KeyDescription
client_idA MD5 hash of a UUID value taken by executing the WMI command ‘SELECT * FROM Win32_ComputerSystemProduct’.
group_nameA hard-coded value, which represents the group that the bot (compromised host) will be added.
sys_versionWindows OS version
client_versionDefault value that’s set to 1
domain_nameDomain name taken by executing the WMI command ‘SELECT * FROM Win32_ComputerSystem’.
task_stateSet to 0 by default. Used only when the network commands with task name ‘ins‘ or ‘sdl‘ are executed
task_idSet to 0 by default. Used only when the network commands with task name ‘ins‘ or ‘sdl‘ are executed
Description of the values sent to BUMBLEBEE servers

Once the server receives the request, it replies with the following data in a JSON format:

KeyDescription
response_statusBoolean value, which shows if the server correctly parsed the loader’s request. Set to 1 if successful.
tasksArray containing all the tasks
taskTask name
task_idID of the received task, which is set by the operator(s)
task_dataData for the loader to execute in Base64 encoded format
file_entry_pointPotentially represents an offset value. We have not observed this being used either in the binary’s code or during network communication (set to an empty string).
Description of the values returned by the BUMBLEBEE servers

Tasks

Based on the returned tasks from the command-and-control servers, BUMBLEBEE will execute one of the tasks described below. For two of the tasks, shi and dij, BUMBLEBEE uses a list of predefined process images paths:

  • C:\Program Files\Windows Photo Viewer\ImagingDevices.exe
  • C:\Program Files\Windows Mail\wab.exe
  • C:\Program Files\Windows Mail\wabmig.exe
Task nameDescription
shiInjects task’s data into a new process. The processes images paths described above and a random selection is made
dijInjects task’s data into a new process. The injection method defers from the method used in task ‘dij’. The processes images paths described above and a random selection is made.
dexWrites task’s data into a file named ‘wab.exe’ under the Windows in AppData folder.
sdlDeletes loader’s binary from disk.
insAdds persistence to the compromised host.
Description of the tasks performed by BUMBLEBEE

For the persistence mechanism, BUMBLEBEE creates a new directory in the Windows AppData folder with the directory’s name being derived by the client_id MD5 value. Next, BUMBLEBEE copies itself to its new directory and creates a new VBS file with the following content:

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "rundll32.exe my_application_path, IternalJob"

Lastly, it creates a scheduled task that has the following metadata (this can differ from sample to sample):

  1. Task name – Randomly generated. Up to 7 characters.
  2. Author – Asus
  3. Description – Video monitor
  4. Hidden from the UI: True
  5. Path: %WINDIR%\System32\wscript.exe VBS_Filepath

Similarly with the directory’ name, the new loader’s binary and VBS filenames are derived from the ‘client_id’ MD5 value too.

Additional observations

This sub-section contains notes that were collected during the analysis phase and worth to be mentioned too.

  • The first iterations of BUMBLEBEE were observed in September 2021 and were using “/get_load” as URI. Later, the samples started using “/gate”. On 19th of April, they switched to “/gates”, replacing the previous URI.
  • The “/get_load” endpoint is still active on the recent infrastructure – this is probably either for backwards compatibility or ignored by the operator(s). Besides this, most of the earlier samples using URI endpoint are uploaded from non-European countries.
  • Considering that BUMBLEBEE is actively being developed on, the operator(s) did not implement a command to update the loader’s binary, resulting the loss of existing infections.
  • It was found via server errors (during network requests and from external parties) that the backend is written in Golang.
  • As mentioned above, every BUMBLEBEE binary has an embedded group tag. Currently, we have observed the following group tags:
VPS1GROUPALLdll
VPS2GROUP1804RA
VS2G1904r
VPS12004r
SP11904l
RA110425html
LEG07042504r
AL12042704r
RAI1204
Observed BUMBLEBEE group tags
  • As additional payloads, NCC Group’s RIFT has observed mostly Cobalt Strike and Meterpeter being sent as tasks. However, third parties have confirmed the drop of Sliver and Bokbot payloads.
  • While analyzing NCC Group’s RIFT had a case where the command-and-control server sent the same Meterpeter PE file in two different tasks in the same request to be executed. This is probably an attempt to ensure execution of the downloaded payload (Figure 1). There were also cases where the server initially replied with a Cobalt Strike beacon and then followed up with more than two additional payloads, both being Meterpeter.
Figure 1 – Duplicated tasks received
  • In one case, the downloaded Cobalt Strike beacon was executed in a sandbox environment and revealed the following commands and payloads were executed by the operator(s):
    • net group “domain admins” /domain
    • ipconfig /all
    • netstat -anop tcp
    • execution of Mimikatz

Indicators of compromise (IOC’s)

TypeDescriptionValue
IPv4Meterpreter command-and-control server, linked to Group ID 2004r & 25html23.108.57[.]13
IPv4Meterpreter command-and-control server, linked to Group ID 2004r & 2504r130.0.236[.]214
IPv4Cobalt Strike server, linked to Group ID 1904r93.95.229[.]160
IPv4Cobalt Strike server, linked to Group ID 2004r141.98.80[.]175
IPv4Cobalt Strike server, linked to Group ID 2504r & 2704r185.106.123[.]74
IPv4BUMBLEBEE command-and-control servers103.175.16[.]45
103.175.16[.]46
104.168.236[.]99
108.62.118[.]236
108.62.118[.]56
108.62.118[.]61
108.62.118[.]62
108.62.12[.]12
116.202.251[.]3
138.201.190[.]52
142.234.157[.]93
142.91.3[.]109
142.91.3[.]11
149.255.35[.]167
154.56.0[.]214
154.56.0[.]216
168.119.62[.]39
172.241.27[.]146
172.241.29[.]169
185.156.172[.]62
192.236.198[.]63
193.29.104[.]176
199.195.254[.]17
199.80.55[.]44
209.141.59[.]96
209.151.144[.]223
213.227.154[.]158
213.232.235[.]105
23.106.160[.]120
23.106.160[.]39
23.227.198[.]217
23.254.202[.]59
23.81.246[.]187
23.82.140[.]133
23.82.141[.]184
23.82.19[.]208
23.83.133[.]1
23.83.133[.]182
23.83.133[.]216
23.83.134[.]110
23.83.134[.]136
28.11.143[.]222
37.72.174[.]9
45.11.19[.]224
45.140.146[.]244
45.140.146[.]30
45.147.229[.]177
45.147.229[.]23
45.147.231[.]107
49.12.241[.]35
71.1.188[.]122
79.110.52[.]191
85.239.53[.]25
89.222.221[.]14
89.44.9[.]135
89.44.9[.]235
91.213.8[.]23
91.90.121[.]73
Indicators of compromise

References

[1] – https://github.com/LordNoteworthy/al-khaser

[2] – https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/