{ "id": "2c79e9cd-9402-44c3-97a0-6029d52dfa89", "created_at": "2026-04-29T08:21:22.288037Z", "updated_at": "2026-04-29T10:41:25.723893Z", "deleted_at": null, "sha1_hash": "19a488c230c30f8bbce5903de947698c5812abfc", "title": "The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10963204, "plain_text": "The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot\r\nconnection\r\nBy Eli Salem\r\nPublished: 2022-04-27 · Archived: 2026-04-29 07:05:45 UTC\r\n17 min read\r\nApr 27, 2022\r\nIn late March 2022, a new malware dubbed “Bumblebee” was discovered, and reported to be distributed in\r\nphishing campaigns containing ISO files which eventually drop DLL files that contained the Bumblebee malware\r\nitself.[1][3].\r\nThis malware deployment technique is not new, and several other malware has already been observed using it,\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 1 of 45\n\nmost notably: BazarLoader, and IcedID[3]. Also, similar to the aforementioned malware, Bumblebee too was\r\nobserved delivering the Cobalt-Strike framework.\r\nFrom a threat research perspective, what makes this malware interesting is the fact that it was associated with the\r\nConti ransomware group as one of the group's threat loaders[1].\r\nIn the past, the traditional loaders of Conti were Trickbot, Bazarloader, and Emotet, so it was quite intriguing to\r\ninspect this malware closely.\r\nIn this article, I will present a code analysis of the Bumblebee malware, obviously, due to the malware's large size\r\nI will not cover everything, and will focus on the parts that I think are the most interesting in terms of capabilities.\r\nAlso, one of my favorite topics in malware research is the ways of malware to avoid detection, so I will put more\r\nemphasis on this subject as well.\r\nLastly, I divided the entire article into three parts, the table of contents is the following:\r\n1. PART 1: The hook- unpacking the bumblebee’s crypter\r\n- Unpacking mechanism\r\n- Enters the hook\r\n- Executing the code\r\n- Bumblebee dropper high-level summary\r\n2. PART 2: The bee- Investing the bumblebee’s payload\r\n- Stolen anti-analysis code\r\n- Searching for processes\r\n- Searching registry keys\r\n- Searching file paths\r\n- Executing processes\r\n- The little ones inside the flask: hiding additional DLLs\r\n3. PART 3: The Trickbot connection- Investigating the hooking DLL\r\n- Check for existing hooks\r\n- Setting the hooks\r\n- First hooks: Disable exceptions\r\n- Second hooks: Further code execution\r\n- The Trickbot hooking engine\r\n- Static differences and code evolution\r\n- Additional similarities\r\n- Customize flattened RC4\r\n- RapportGP.dll high-level summary\r\nPART 1\r\nThe Hook: Unpacking the bumblebee’s crypter\r\nHash: a9c8b7c411571700e6ea03e4e48ddb896a33e53e\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 2 of 45\n\nPress enter or click to view image in full size\r\nBumblebee dropper as seen in PEstudio\r\nThe initial dropper of Bumblebee is a 64bit file, with relatively high entropy which indicates a possibly obfuscated\r\n\\ encrypted content that will be decrypted in runtime.\r\nThe DLL itself contains two export functions: InternalJob and SetPath. Also, the file’s internal name appears to be\r\n“lodqcbw041xd9.dll”.\r\nBumblebee dropper exports and internal name in PE-Bear\r\nUnpacking mechanism\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 3 of 45\n\nOnce we enter the loader’s main function, we see that it is unique, and does not look like any common crypters\r\nthat can be found in Conti’s loaders (such as Emotet or Bazarloader).\r\nBumblebee loader\\crypter main\r\nAs we open the loader in IDA, we see that the majority of the PE in the IDA navigator has the olive color which\r\nmeans unexplored bytes. This is common when there is some content in the PE that needs to be decrypted during\r\nruntime.\r\nPress enter or click to view image in full size\r\nBumblebee loader unexplored bytes\r\nTip: During my analysis, I disabled the file’s ASLR to match the addresses in IDA and Xdbg, this is super helpful\r\nand saves a lot of time.\r\nTo do so, open the file in CFF explorer, and then:\r\n1. Click Optional Header\r\n2. Go to DllCharacteristics\r\n3. Remove the V from “DLL can move”\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 4 of 45\n\nDisabling ASLR\r\nNext, we can see that the DllEntryPoint is an empty export function, so we will want to redirect our execution\r\nflow to one of the working export functions, for this case, we will choose “SetPath”.\r\nTo redirect the flow, do the following:\r\n1. In IDA \\ PE-Bear, copy the address of the required export function\r\n2. In Xdbg, right click on RIP\r\n3. Click on “Modify Value”\r\n4. Paste the address of the export function\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 5 of 45\n\nChanging the address\r\nAfter clicking OK we will find ourselves at the beginning of the export function. This trick can be used in any\r\nother malware the executed via designated export function\r\nBumblebee SetPath\r\nFrom a reverse engineer perspective, the crypter is an inconvenient binary to inspect, and there are not many\r\n“quick wins” we can gather just by looking at it, however, this crypter is unique in today's landscape so I will\r\nfocus on the areas I found are the most interesting.\r\nFirst, the crypter will start with a traditional unpacking activity, in the function sub_180003490 there are two other\r\nfunctions:\r\n1. sub_1800021D0 - which will allocate virtual memory using HeapAlloc (this function will happen multiple\r\ntimes during the crypter unpacking)\r\n2. sub_1800029BC - Which gets an embedded content and writes it into the newly allocated memory\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 6 of 45\n\nBumblebee loader\\crypter main\r\nThen, the function sub_180002FF4 will be executed to do the following:\r\n1. Allocate new virtual memory using the same sub_1800021D0 function.\r\n2. Manipulate the content from the first allocated buffer and write the output into the newly allocated memory\r\nPress enter or click to view image in full size\r\nBumblebee loader\\crypter main\r\nThe next step will be the function sub_180004180, this function will do the following:\r\n1. It executes a function named sub_180001670 that will allocate multiple virtual memories using the already\r\nmentioned sub_1800021D0.\r\n2. Call the function named sub_180003CE that will use the virtual memory that was allocated in\r\nsub_180002FF4, do additional manipulations, and eventually writes an unpacked MZ into the last\r\nallocated buffer from the function sub_180001670.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 7 of 45\n\nBumblebee loader\\crypter main\r\nWhen looking statically in the function sub_180003CE, the loop that will write the unpacked file will be the\r\nfollowing:\r\nBumblebee loader payload decryption\r\nAnd when observing dynamically, it will look like the following:\r\nPress enter or click to view image in full size\r\nBumblebee loader payload decryption\r\nIn the end, we get an allocated memory with Read-Write permissions with an unpacked payload inside.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 8 of 45\n\nBumblebee loader payload decrypted in process hacker\r\nUntil now, everything that is observed are things that are pretty much common in other loaders \\ crypters,\r\nhowever, we still have two unsolved questions:\r\n1. The code section of the payload does not have Execute permission, so it cant run.\r\n2. What makes this loader special?\r\nEnters the hook\r\nThe loader will enter a function called sub_180001000, this function will create inline hooks[5] that will ignite the\r\nchain of events that will lead to the code execution.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 9 of 45\n\nBumblebee loader payload decryption\r\nAs we enter, we notice something interesting, the loader assign functions to a memory address, then it will call\r\nanother function named sub_100025EC.\r\nAssign functions to addresses\r\nThis function will do the following:\r\n1. Get Ntdll handle with LoadLibrary\r\n2. Get the address of NtOpenFile\r\n3. Get the address of NtCreateSection\r\n4. Get the address of NtMapViewOfSection\r\n5. Return the data\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 10 of 45\n\nGetting NT functions\r\nTo observe it dynamically, we can just go to the debugger and step over the functions themselves.\r\nPress enter or click to view image in full size\r\nGetting NT functions\r\nAfter exiting sub_100025EC, our attention will go to a function named sub_1800037C4. This function will be\r\nresponsible to install a hook in the aforementioned NT functions.\r\nIt will do it in the following way:\r\n1. Call VirtualProtect to change the protection of the area it wants to write into to be writeable\r\n2. Call sub_180002978 that will take as arguments:\r\n1. The function to write into\r\n2. The content it wants to write\r\n3. The size\r\n3. Call VirtualProtect to change the protection again to not be writeable\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 11 of 45\n\nSetting hook\r\nEventually, this activity will occur inside a loop to install the hooks in each of the NT functions. The hook that\r\nwill be installed will be the functions that have been assigned to memory addresses at the beginning of the larger\r\nfunction.\r\n1. sub_180001D4 for NtMapViewOfSection\r\n2. sub_1800023D4 for NtOpenFile\r\n3. sub_1800041EC for NtCreateSection\r\nIf we wanted to observe the changes dynamically we have two options, the first one is to just observe it in the\r\ndebugger by step over sub_180002978\r\nHooked NT functions\r\nAnother option is to use the took Hollow hunter[6] with the “/hooks” as an argument. Then, we will have a .tag\r\nfile from the hooked DLL (if found of course)\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 12 of 45\n\nView hooks using hollow hunter\r\nAnd when we open this file with a text editor we could see the indication of who are the hooked function, and\r\nwhere the hook itself lies.\r\nPress enter or click to view image in full size\r\nView hooks using hollow hunter\r\nTo summarize the hooking procedure, it will look like this:\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 13 of 45\n\nBumblebee loader install hook mechanism\r\nExecuting the code\r\nAfter we finish setting the hooks, we will head to the function sub_1800013A0\r\nBumblebee loader\\crypter main\r\nThis function will attempt to execute the DLL “GdiPlus.dll” using the API call LoadLibrary, with SetPath as an\r\nexport function.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 14 of 45\n\nLoadLibrary loading GdiPlus.dll\r\nLoadLibrary loading GdiPlus.dll\r\nQ: Why does the malware even want to use GdiPlus.dll?\r\nA: It doesn't.\r\nQ: So why the need to load it?\r\nA: Because it is not loaded (wait what?!)\r\nThe malware will attempt to use some (and unique) custom unpacking:\r\n1. When LoadLibrary loads a DLL file, it uses internally the hooked NT function as part of its internal\r\nactivity.\r\n2. The malware chooses a DLL that is not loaded yet.\r\n3. NtOpenFile will get a file handle of GdiPlus.dll\r\n4. NtCreateSection will create a section for the file handle of GdiPlus.dll\r\nHowever, here is when things become tricky, when the LoadLibrary will try to use MapViewOfSection to map the\r\nGdiPlus.dll section, the hook function of MapViewOfSection (sub_180001D4C) will do the following:\r\n1. It will use CreateSection to create a new section with READ-WRITE-EXECUTE permissions, without any\r\nfile handle to associate it with.\r\n2. It will write the unpacked malicious content into this section\r\n3. It returns NTSTATUS_SUCCESS to the LoadLibrary so it will seem to it as if GdiPlus.dll was mapped\r\nsuccessfully.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 15 of 45\n\nHooked NtMapViewOfSection mechanism\r\nThe result will be an unpacked bumblebee malware that resides in the RWX section and is associated with\r\nGdiPlus.dll. Interestingly, the GdiPlus.dll is considered a relocated DLL in Process hacker.\r\nPress enter or click to view image in full size\r\nRelocated module point to RWX section\r\nBumblebee dropper high lever summary\r\nIf we want to look at all the dropper unpacking mechanism steps in a high-level overview and summarize them\r\ninto three steps, it will look like this:\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 16 of 45\n\nBumblebee dropper overview\r\nPART 2\r\nThe bee: Investigating the bumblebee’s payload\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 17 of 45\n\nUnpacked Bumblebee payload\r\nThe unpacked malware is a large 64-bit file with quite high entropy.\r\nThis file appears to be the core component of the Bumblebee malware. It features many traditional capabilities we\r\nwould expect from malware, such as internet communication, file manipulation, collecting user information,\r\ncryptography libraries, etc.\r\nIn my article I will not cover this file as much because of scoping decisions, however, some interesting code parts\r\nto mention are:\r\nStolen anti-analysis code\r\nAs with many malware, Bumblebee also has anti-analysis tricks, however, the majority of them are grouped in one\r\nlarge function. Also, During my observation, I notice that additional anti-analysis checks have been added as time\r\ngoes by, which indicates a quick evolving malware or that the authors are still in the “testing the waters” phase.\r\nIn addition, this entire anti-analysis function code is taken from the GitHub page of the “al-khaser project”[7]. For\r\ngood measure, I will show some examples.\r\nSearching for processes\r\nThe malware will search for multiple tools that are being used for dynamic and static malware analysis tools. The\r\nmalware will iterate through the processes using CreateToolHelp32Snapshot.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 18 of 45\n\nSearching for processes in Bumblebee\r\nAs said, this code is the exact code found in the al-khaser project.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 19 of 45\n\nal-khaser source code\r\nThe malware also attempts to detect any kind of virtualization environment with the detection of their processes, it\r\nvaries from Vmware to Vbox processes.\r\nSearching for Vmware processes in Bumblebee\r\nSearching registry keys\r\nThe malware will attempt to search for designated registry keys that indicate any kind of virtual environment from\r\nmultiple products.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 20 of 45\n\nSearching for Vmware registry key in Bumblebee\r\nSearching file paths\r\nGet Eli Salem’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe malware will search for file paths that can indicate any kind of virtual environment.\r\nSearching for VBOX files in Bumblebee\r\nAt this point, it will be useless to continue writing the anti-analysis capabilities, so for those who want to see all,\r\nplease visit the al-khaser project GitHub page.\r\nExecuting processes\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 21 of 45\n\nAmong the malware, capabilities are to execute Rundll.exe to run the DLL with the InternalJob as an export\r\nfunction using Wscript.\r\nExecuting Wscript\r\nAlso, the malware can use PowerShell to perform further activities\r\nExecuting PowerShell\r\nThe little ones inside the flask\r\nOne of the most interesting things about the Bumblebee core component is the fact that it contains two DLL files\r\ninside of him.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 22 of 45\n\nTwo hidden DLL files inside the unpacked Bumblebee\r\nBoth of these files have the same internal name RapportGP.dll (which is also used by the security company\r\nTrusteer)\r\nBumblebee hooking DLL aka RapportGP.dll\r\nThe two DLL files are completely identical except for the fact that one of them is 32-bit and the other is 64-bit.\r\nPART 3: The shadow of Trickbot- Investigating the hooking DLL\r\nIn the last part, I will investigate the RapportGP.dll, as said, there are two versions: 32\\64 bit, and for my analysis,\r\nI will focus only on the 32 bit.\r\nThe main concept behind RapportGP.dll is hooking, and the entire module’s mechanism is supporting this activity.\r\nCheck for existing hooks\r\nOne of the first activities of the module occurs in a function named “sub_100060C0”, in general, this function will\r\nbe responsible to check if there is any hooked function from a list of pre-determined functions.\r\nInside sub_100060C0, the chain of events that leads to this is the following:\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 23 of 45\n\n1. A handle to Ntdll.dll, Kernel32.dll, Kernelbase.dll, Advapi32.dll obtained\r\n2. The requested DLL’s path obtained\r\n3. A call to the function sub_100059B0 was made to get a copy of NtProtectVirtualMemory that stored in the\r\nallocated memory\r\n4. The arguments are sent to another function named sub_10005B90\r\nPress enter or click to view image in full size\r\n1. RapportGP.dll checking and disabling existing hooks\r\nThe functions it wants to check are:\r\nIn Ntdll.dll\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 24 of 45\n\nRapportGP.dll list of Ntdll functions to check\r\nIn Kernel32.dll\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 25 of 45\n\nRapportGP.dll list of Kernel32 functions to check\r\nIn Kernelbase.dll\r\nRapportGP.dll list of Kernelbase functions to check\r\nIn Advapi32.dll\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 26 of 45\n\nRapportGP.dll list of Advapi32 functions to check\r\nIn sub_10005B90, the module path of the requested DLL file will be mapped to memory and will be sent to an\r\nadditional function named “sub_10005D40” that will deal with the actual checking.\r\nPress enter or click to view image in full size\r\n2. RapportGP.dll checking and disabling existing hooks\r\nAs for the checks themselves, it is quite simple:\r\n1. The malware iterate through the export functions of the legitimate DLL file that was mapped to memory by\r\nthe process when it loads.\r\n2. The malware will check if the name is one of the function names it wants to check\r\n3. Once found, the malware calls sub_10001040 that checks for hooks evidence in the DLL that was mapped\r\nby the process loader\r\n4. The malware will do the same for the DLL that was mapped by the malware itself (in sub_10005B90).\r\n5. If no hooks are found, it will continue to iterate\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 27 of 45\n\n3. RapportGP.dll checking and disabling existing hooks\r\nAnd if there is an indication of hooks, the malware does the following\r\n1. Get information about the original function\r\n2. It will change the protection\r\n3. Check if it's writable\r\n4. Write the content of the mapped function to the original function. In this way, it restores it to the state it\r\nshould be if there are no hooks.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 28 of 45\n\n4. RapportGP.dll checking and disabling existing hooks\r\nIf we wanted to observe this activity dynamically, all we need to do is to change the bytes from the beginning of\r\none of the functions the malware wants to check. For example, let's take NtCreateFile.\r\n1. Original function at 775222C0\r\n2. The function that mapped by the malware at 02E022C0\r\n5. RapportGP.dll checking and disabling existing hooks\r\nWhen looking in the dump, we can see that their code is exactly the same\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 29 of 45\n\n6. RapportGP.dll checking and disabling existing hooks\r\nLet's change the first byte of the original to have an E9 opcode (jump)\r\nPress enter or click to view image in full size\r\n7. RapportGP.dll checking and disabling existing hooks\r\nNow, if we will try to debug dynamically, we will be able to get to the last part of the code.\r\nPress enter or click to view image in full size\r\n8. RapportGP.dll checking and disabling existing hooks\r\nAfter stepping over memset, we can see that the E9 byte no longer exists and the original function returned to its\r\nnormal state.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 30 of 45\n\n9. RapportGP.dll checking and disabling existing hooks\r\nAt a very high level, the process eventually looks like this:\r\nPress enter or click to view image in full size\r\n10. RapportGP.dll checking and disabling existing hooks\r\nSetting the hooks\r\nAfter checking that there are no other hooks, the malware turns to set its own hooks. The malware will have two\r\nkinds of hooks for different purposes.\r\nFirst hooks: Disable Exceptions\r\nThe malware will set a hook on the function RaiseFailFastException which is located in kernel32.dll and api-ms-win-core-errorhandling-l1–1–2.dll.\r\nThe function that will be triggered will be empty, therefore no exception will be triggered.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 31 of 45\n\nPress enter or click to view image in full size\r\nRapportGP.dll hooks to disable exceptions\r\nSecond hooks: Further code execution\r\nThe malware will use the same technique the bumblebee loader did. It will first get the addresses of the function\r\nZwMapViewOfSection, ZwOpenSection, ZwCreateSection, ZwOpenFile, ZwClose, and LdrLoadDll.\r\nRapportGP.dll second hooks\r\nAnd similar to the Bumblebee’s loader, it will first set the hook, and then will call LdrLoadDll which is the lower\r\nlever equivalent of LoadLibrary to load the module “wups.dll”, which will trigger the chain of events we already\r\ndiscussed in the Bumblebee loader part.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 32 of 45\n\nRapportGP.dll second hooks\r\nThe Trickbot hooking engine\r\nAlthough both hooks are doing completely different things, the hooks’ installation mechanism is the same.\r\nInterestingly, this mechanism is also the same as the web-inject module of Trickbot.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 33 of 45\n\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module\r\nAs with many ex-bankers that use hooking such as Panda, Trickbot, and Qbot, their hooking code is based on the\r\nZeus leak, however, each of them has its flavor and changes and Trickbot is no different.\r\nIn the Trickbot web-inject hooking mechanism, which has already been documented[8], when creating the inline\r\nhooking “trampoline” there is the following evasion technique:\r\n1. Trickbot writes 35 bytes of NOPS (0x90)\r\n2. Add the traditional function prologue\r\n3. Write the jump to the targeted function at the end of the NOPS\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 34 of 45\n\nTrickbot’s web-inject module evasion technique\r\nAs we debug Bumblebee, we notice it uses the same unique evasion as well (adjusted for the API calls it wants to\r\nhook). So for example when hooking the ZwMapViewOfSection, which instantiates a Syscall, it will look like this.\r\nBumblebee’s RapportGP.dll evasion technique\r\nAnd when targeting the user-mode functions RaiseFailFastException, it will look exactly like in Trickbot.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 35 of 45\n\nBumblebee’s RapportGP.dll evasion technique\r\nStatic differences and code evolution\r\nWhen inspecting the entire code flow graph of the hook installation function, we can see a striking similarity\r\nbetween Bumblebee’s RapportGP.dll and Trickbot’s web-inject module.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 36 of 45\n\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module install hook functions\r\nInterestingly, although the actual functionality is the same, we might think that statically everything is the same,\r\neven the sub-functions inside the hooking installation function. Funny enough, this is not the case.\r\nAs mentioned above, in the hooking installation function, one function is responsible for doing checks and return\r\nsize (Please see the image above).\r\n1. In Trickbot its sub_10001650\r\n2. In Bumblebee its sub_10002870\r\nHowever, when inspecting their code and code flow statically, this is how they both look like\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 37 of 45\n\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module- same functionality, different flow\r\nObviously, in Bumblebee, the authors have decided to use Control-flow-flattening[9] to obfuscate the entire flow\r\nof the function. For those of you who are not familiar with this obfuscation technique, I strongly recommend the\r\nfollowing video[10].\r\nIn addition, inside each of these functions (sub_10001650 in Trickbot, sub_10002870 in Bumblebee) there are 3\r\nfunctions (one of them is memset), and the Control-flow-flattening concept continues in Bumblebee inside them as\r\nwell.\r\nFor example, here are another two functions that act the same dynamically:\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 38 of 45\n\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module- same functionality, different flow\r\nWhen observing the two functions in Bindiff flow graphs, we could see some similarities.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 39 of 45\n\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module-Bindiff\r\nAdditional similarities\r\nIn both modules, there are other functions that are not completely identical by code, however, they serve the same\r\nfunctionality.\r\nExample_1\r\nBefore entering the hooking functions, both Trickbot and Bumblebee attempt to use LoadLibrary and get the\r\naddress of the function it wants to hook.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 40 of 45\n\nThe difference is that in Trickbot it explicitly writes “Kernel32.dll” and in Bumblebee it gets the DLL’s name from\r\nthe caller function.\r\nPress enter or click to view image in full size\r\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module- same functionality, a different\r\napproach\r\nExample_2\r\nThe call for the hooking activity looks very similar as well\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 41 of 45\n\nBumblebee’s RapportGP.dll vs Trickbot’s web-inject module\r\nExample_3\r\nOutside the hooking, the Bumblebee’s hooking module starts with getting the process handle and eventually\r\nduplicating a thread handle, whereas, the Trickbot’s module starts with getting the process handle and duplicating\r\nthe token. Again, the same objective, in a different way.\r\nCustomize flattened RC4\r\nAnother interesting activity lies inside the hooked ZwMapViewOfSection function. The hook appears to use a\r\ncustomize RC4 obfuscated with the Control-flow-flattening technique.\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 42 of 45\n\nCustom RC4 with CFF obfuscation\r\nRapportGP.dll High-level summary\r\nWhen trying to summarize the entire file behavior, it eventually is the following:\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 43 of 45\n\nRapportGP.dll overall activity\r\nConclusion\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 44 of 45\n\nThe bumblebee malware is a very interesting piece of code, and to perform their objectives, the authors show a\r\nhigh level of creativity and innovation.\r\nThe interesting similarities between the Bumblebee hooking DLL and the Trickbot’s web-inject DLL raise\r\nquestions and speculations.\r\nOn one hand, the similarities are not strong enough to deduce that the authors of Bumblebee and Trickbot are the\r\nsame, on the other hand, it is not far-fetched to assume that the authors of Bumblebee have the source code of the\r\nTrickbot’s web-inject module.\r\nIn any case, the authors took an already proven and working code and evolve it to be less detectable to AV\r\nproducts, and challenging to security researchers.\r\nReferences\r\n[1] https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\n[2] https://twitter.com/Unit42_Intel/status/1512146449345171459\r\n[3] https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/\r\n[4] https://github.com/hasherezade/pe-bear-releases\r\n[5] https://youtu.be/9efJ8_ukxlY?t=2\r\n[6] https://github.com/hasherezade/hollows_hunter\r\n[7] https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser\r\n[8] https://www.sentinelone.com/labs/how-trickbot-malware-hooking-engine-targets-windows-10-browsers/\r\n[9] https://blog.jscrambler.com/jscrambler-101-control-flow-flattening\r\n[10] https://youtu.be/SulC2l1Dvbo\r\nIOC\r\nbumblebee_dropper: 4a35fa2f0903f7ba73ac21564a5a0e2a25374e10\r\nbumblebee_malware: 5dbb3bbc57653c348be7778628ed0ef11ffef35d\r\nbumblebee_rapportgp: 5c8f7465ba67138e58d3ca61e4346e31c2b799d8\r\nTrickbot web-inject module: 0785D0C5600D9C096B75CC4465BE79D456F60594\r\nSource: https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nhttps://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056\r\nPage 45 of 45\n\n https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056 \nSearching for processes in Bumblebee \nAs said, this code is the exact code found in the al-khaser project.\n Page 19 of 45", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056" ], "report_names": [ "the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-29T10:39:53.117397Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "COBALT SPIDER", "G0080", "Mule Libra", "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-29T10:39:54.613086Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1777450882, "ts_updated_at": 1777459285, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19a488c230c30f8bbce5903de947698c5812abfc.pdf", "text": "https://archive.orkl.eu/19a488c230c30f8bbce5903de947698c5812abfc.txt", "img": "https://archive.orkl.eu/19a488c230c30f8bbce5903de947698c5812abfc.jpg" } }