BumbleBee hunting with a Velociraptor
Published: 2023-04-11 · Archived: 2026-04-05 17:40:05 UTC
11.04.2023
research
BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently
analyzed by Angelo Violetti of SEC Defence - the SEC Consult Digital Forensics and Incident Response team.
During his research, he used several tools and techniques to define ways to detect the presence of BumbleBee on a
compromised infrastructure.
The various detection opportunities described in the report can be useful for organizations to detect an infection in its first
stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community.
SEC Defence offers Threat Hunting and Incident Response services to support clients in promptly detecting and responding
to cyber threats such as BumbleBee. To request immediate support in case of a potential incident or breach, get in touch with
SEC Defence. 
Introduction
Ransomware attacks, combined with data exfiltration, are one of the most relevant cyber threats for companies
worldwide, as reported by the Enisa Threat Landscape 2022. According to the NIST's Incident Handling guide, the
prevention and detection phases of those types of attacks can be crucial to minimize the potential incident's impacts (e.g.,
operational, legal, etc.).
To gain initial access into a victim’s infrastructure, ransomware operators abuse mostly the following techniques:
Phishing campaigns, also conducted by initial access brokers1, that deliver malware which acts as a loader for
subsequent post-exploitation frameworks like Cobalt Strike or Meterpreter.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 1 of 12

Exposed vulnerable services that can be exploited to execute arbitrary commands remotely.
Compromised accounts that allow the threat actor to login into services like VPN.
One of the newest malware families, first discovered by the Google Threat Analysis Group in 2021, and delivered by initial
access brokers is called BumbleBee and it has been used by the well-known Russian group Wizard Spider which has been
linked to ransomware like Conti, Quantum, Royal, etc.
In this article, SEC Defence shows the analysis that has been performed of a BumbleBee sample and provides some threat
hunting methods to detect BumbleBee techniques.
BumbleBee
BumbleBee is commonly distributed via malicious ISO images. and abuses thread-hijacking emails to induce the victims to
download the ISO file and subsequently open it. When executed, BumbleBee performs mainly the following actions:
Verifies if it is running in an analysis or sandboxing environment by performing various checks like enumerating the
registry keys and drivers related to VMware or VirtualBox.
Gathers information about the compromised system through WMI queries.
Connects to the command and control (C2) servers embedded into the malware configuration that is RC4 encrypted.
Furthermore, BumbleBee can also receive specific commands from the threat actors that can be useful for further malicious
actions like achieving persistence and downloading other malware (e.g., Cobalt Strike).
Malware Analysis & Detection
The BumbleBee sample analyzed is the following ISO file, which is available on Malware Bazaar.
File name Required Documents.img
MD5 016eae588e2e565414259280ba4f6753
SHA1 6983820a0d115bb78290ce9fbd6543623281d3d1
SHA256 127b3506b7da4569cbdf23bb500bb95832e1a8d4fcec5e2ce6ec9e0c973ba36b
BumbleBee Execution Process
The ISO file analyzed contained three files, two hidden and one visible LNK file.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 2 of 12

When opened, the LNK file launches cmd.exe to execute the hidden BAT file.
C:\Windows\System32\cmd.exe /c case_studies.bat
The threat actors slightly obfuscated the BAT file by assigning a unique string to every letter of the alphabet to hide the
executed final command.
Obfuscated BAT file:
@echo off
:ywthnwxyyek
set ugfmhz=a
:dykxmzumupg
set zjxchb=b
:ibbnmbrapbc
set c=c
:ndtdmdoplmy
set d=d
:gnczycxqkhn
set e=e
:lqupyfuegsj
set f=f
:qslfyhrtbde
set g=g
:vvcvyjohxoa
set h=h
:ofmqjjxjwjp
set i=i
:thdgjluxsul
set j=j
:ykvwjnrlngh
set k=k
:dmmnjqpajrd
set l=l
:wxwivpxbimr
set m=m
:bznyurvpexn
set n=n
:gceoutseaij
set o=o
:leweuwpsvtf
set p=p
:eofagvytuou
set q=q
:jrxqgxviqzq
set r=r
:otoggaswmkl
set s=s
:twgwgcplhwh
set t=t
:lgprrbymgqw
set u=u
:rigirdvaccs
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 3 of 12

set v=v
:wlyyrgspyno
set w=w
:bnporipdtyk
set x=x
:txzjdhyestz
set y=y
:yaqzckvtoeu
set z=z
:zogksw
%c%%m%%d%.%e%%x%%e% /%c% %s%%t%%a%%r%%t% /%b% /%m%%i%%n% %c%%o%%p%%y% /Y C:\W%i%%n%%d%%o%%w%%s%\S%y%%s%%t%%e%%m%32\%r%%u%%
By de-obfuscating the BAT file, it is possible to see that it copies the rundll32 executable into the ProgramData directory and
then launches the BumbleBee DLL (network.dll).
De-obfuscated BAT file:
cmd.exe /c start /b /min copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\ESMS3uYsyNq2s.exe && start /b /min C:\Pr
Defense Evasion: Mark-of-the-Web Bypass
BumbleBee abuses ISO images to evade a Windows mechanism called Mark-of-the-Web. Such a mechanism tracks, through
a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifiers, files downloaded from the Internet which trigger
security measures on the tracked files.
Velociraptor
The Velociraptor artifact called Windows.Detection.ISOMount can be used to search for ISO files mounted this activity is
tracked in the Windows Event Logs with EventID 22.
The following image shows the identification of the BumbleBee ISO image mounting.
Masquerading: Rename System Utilities Detection
The technique used by the BAT file is called Rename System Utilities and consists of copying itself into a specific folder,
modifying the name of the executable in order to evade security mechanisms.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 4 of 12

Velociraptor
Velociraptor natively offers an artifact named Windows.Detection.BinaryRename to hunt for known executables that are
copied and re-named by threat actors.
SELECT * FROM source(artifact="Windows.Detection.BinaryRename") WHERE VersionInformation.OriginalFilename =~ "rundll32"
The following image shows the identification of this technique through Velociraptor.
Windows Event Logs
By looking at Sysmon2 Event ID 1, we notice that the OriginalFileName value does not match the executable name
specified in the Image value.
Therefore, it is possible to hunt for this pattern also through the following Sigma rule:
[…]
detection:
 selection:
 - Description: 'Execute processes remotely'
 - Product: 'Sysinternals PsExec'
 - Description|startswith:
 - 'Windows PowerShell'
 - 'pwsh'
 - OriginalFileName:
 - 'powershell.exe'
 - 'pwsh.dll'
 - 'powershell_ise.exe'
 - 'psexec.exe'
 - 'psexec.c' # old versions of psexec (2016 seen)
 - 'psexesvc.exe'
 - 'cscript.exe'
 - 'wscript.exe'
 - 'mshta.exe'
 - 'regsvr32.exe'
 - 'wmic.exe'
 - 'certutil.exe'
 - 'rundll32.exe'
 - 'cmstp.exe'
 - 'msiexec.exe'
 - 'reg.exe'
[…]
The full Sigma rule can be found here.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 5 of 12

Execution: System Binary Proxy Execution Detection
BumbleBee executes the malicious DLL through Rundll32 with the aim to hide the malware from security applications.
Velociraptor
SEC Defence has created the following Yara rule that can be used to detect running BumbleBee processes through the
Velociraptor artifact Windows.Detection.Yara.Process.
rule BumbleBee_Unpacked{
meta:
author = "Angelo Violetti (SEC Consult - SEC Defence)"
date = "2023-02-23"
description = "Rule to detect BumbleBee in memory"
reference = "https://sec-consult.com/incident-response/sec-defence/"
strings:
/*
$s1
mov rax, [rbx+10h]
cmp qword ptr [rbx+18h], 10h
jb short loc_18000738F
mov rbx, [rbx]
mov r8d, eax
mov rdx, rbx
lea rcx, [rsp+148h+array]
call mw_rc4_ksa_wrapper
nop
$s2
mov r8d, 0FFFh
lea rdx, mw_encrypted_config
lea rcx, [rsp+148h+array]
call mw_rc4_decrypt_wrapper
nop
$s3
lea rcx, [rsp+148h+array]
call mw_return
*/
$s1 = {?? 83 ?? 18 10 72 03 ?? 8B ?? 44 8B ?? 48 8B ?? 48 8D 4C 24 30 E8 ?? ?? FF FF 90}
$s2 = {48 8D 4C 24 30 E8 ?? ?? FF FF 90}
$s3 = {48 8D 4C 24 30 E8 ?? ?? FF FF}
condition:
all of ($s*)
}
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 6 of 12

The Yara rule is based on the operations performed by the malware when decrypts its embedded configuration containing
the command and control servers.
The following image shows the identification of BumbleBee processes through SEC Defence Yara rule and Velociraptor.
Windows Event Logs
Since at time of execution BumbleBee DLL is located on the mounted ISO file, when rundll32.exe is executed, its current
directory is set to the external drive, as shown by the following Sysmon Event ID 1.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 7 of 12

To detect this behaviour, SEC Defence has defined the following Sigma rule:
title: Suspicious Rundll32 with Current Directory an External Drive
ruletype: Sigma
author: Angelo Violetti (SEC Consult - SEC Defence)
date: 2023/03/01
description: Detects the execution of rundll32.exe and the current directory is not C
reference: sec-consult.com/incident-response/sec-defence/
id: aaff35da-bcee-11ed-afa1-0242ac120002
status: experimental
tags:
 - attack.defenseevasion
 - attack.T1553.005
logsource:
 category: process_creation
 product: windows
detection:
 SELECTION_1:
 OriginalFileName: 'rundll32.exe'
 SELECTION_2:
 CurrentDirectory|startswith: 'C:\\'
 condition: SELECTION_1 and not SELECTION_2
level: medium
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 8 of 12

Command & Control: Application Layer Protocol
After compromising the victim's workstation, BumbleBee contacts the C2 servers that are RC4 encrypted in the binary. By
analyzing the process memory, it is possible to notice various IP addresses followed by a destination port, however, only a
part of them is associated with port 443 (HTTPS) and are actually used as a C2.
Velociraptor
To automatically extract the C2 server addresses  from the malware, SEC Defence created  further Velociraptor artifacts that
firstly detects BumbleBee processes and secondly extracts the IP addresses which have port 443 associated.
name: Custom.Windows.Carving.BumbleBee
author: "Angelo Violetti (SEC Consult - SEC Defence)"
type: CLIENT
description: |
 This artficat will detect running BumbleBee processes and subsequently extract the command and control servers wit
reference: sec-consult.com/incident-response/sec-defence/
parameters:
 - name: TargetFileGlob
 default:
 - name: PidRegex
 default: .
 - name: ProcessRegex
 default: .
 - name: DetectionYara
 default: |
 rule BumbleBee_Unpacked{
 meta:
 author = "Angelo Violetti @ SEC Defence"
 date = "2023-02-23"
 
 strings:
 $s1 = {?? 83 ?? 18 10 72 03 ?? 8B ?? 44 8B ?? 48 8B ?? 48 8D 4C 24 30 E8 ?? ?? FF FF 90}
 $s2 = {48 8D 4C 24 30 E8 ?? ?? FF FF 90}
 $s3 = {48 8d 4c 24 30 e8 ?? ?? FF FF}
 
 condition:
 all of ($s*)
 }
 
 - name: ExtractIPsYara
 default: |
 rule BumbleBee_IPs{
 meta:
 author = "Angelo Violetti @ SEC Defence"
 date = "2023-02-23"
 description = "Extracts the IP addresses with the destination port equal to 443 from BumbleBee processes"
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 9 of 12

strings:
 $IP = {?? ?? ?? 2e ?? ?? ?? 2e ?? ?? ?? 2e ?? ?? ?? 00 (?? | ?? ??) 00 00 00 00 00 00 00 0f 00 00 00 00 00 00
 condition:
 $IP
 }
sources:
 - precondition:
 SELECT OS From info() where OS = 'windows'
 query: |
 -- Find velociraptor process
 LET me = SELECT Pid
 FROM pslist(pid=getpid())
 -- Find all processes and add filters
 LET processes = SELECT Name AS ProcessName, CommandLine, Pid
 FROM pslist()
 WHERE Name =~ ProcessRegex
 AND format(format="%d", args=Pid) =~ PidRegex
 AND NOT Pid in me.Pid
 -- Scan processes in scope with our DetectionYara
 LET processDetections = SELECT * FROM foreach(row=processes,
 query={
 SELECT * FROM if(condition=TargetFileGlob="",
 then={
 SELECT *, ProcessName, CommandLine, Pid, Rule AS YaraRule
 FROM proc_yara(pid=Pid, rules=DetectionYara)
 })
 })
 
 -- Scan the process for the IP addresses
 LET ipaddressDetections = SELECT ProcessName, CommandLine, Pid, Strings.Data AS IPAddresses FROM foreach(row=proce
 
 -- Extract the command and control servers
 LET CommandandControlServers = SELECT * FROM foreach(row=ipaddressDetections, query={SELECT ProcessName, CommandLi
 -- Output the command and control servers
 SELECT ProcessName, CommandLine, Pid, str(str=g1) AS BumbleBeeC2 FROM CommandandControlServers
The following image shows the output produced by the SEC Defence Velociraptor artifact.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 10 of 12

Network Traffic Analysis
Another method to detect connections to C2 servers is by integrating and constantly updating Cyber Threat Intelligence
feeds and detection rules with network security technologies.
In this specific case, the following Proofpoint Emerging Threat Rules were triggered:
ET CNC Feodo Tracker Reported CnC Server group 1: 103[.]144[.]139[.]146
ET CNC Feodo Tracker Reported CnC Server group 10: 205[.]185[.]113[.]34
ET CNC Feodo Tracker Reported CnC Server group 11: 23[.]106[.]223[.]222
ET CNC Feodo Tracker Reported CnC Server group 25: 95[.]168[.]191[.]248
Suggested Remediation / Other Actions
Proactively hunt at scale for the subsequent actions that could have been performed by the threat actors after having
compromised the patient zero (e.g., discovery, credential access, lateral movement, etc.).
Isolate, where possible, the compromised systems to contain the incident and prevent the spread of the infection.
Block the indicators of compromise (IoCs) identified during the analysis and, eventually, insert in blacklists also the
indicators reported on OSINT sources like Malware Bazaar, Feodo Tracker, etc.
If support in handling the incident is needed, contact the incident response team.
Conclusion
By analyzing the tactics, techniques and procedures adopted by BumbleBee, SEC Defence identified and created
mechanisms to detect the malware in the early stages of the attack with the aim objective to minimize further potential
impacts such as data exfiltration and/or encryption.
As stated by other companies (Mandiant, Intrisec), the threat actors behind BumbleBee have a strong relationship with other
malware families like Emotet or IcedID and ransomware groups. Therefore, proactively hunting for BumbleBee activities or
applying the right remediation actions in time can prevent the execution of other malicious executables that could cause
service unavailability or impact the confidentiality and integrity of data.
1
 Initial access brokers are cyber-criminals that sell access to compromised infrastructures to other groups with the aim to
obtain a financial gain.
2
 Sysmon (System Monitor) is a Windows service that allows logging a wide range of activities performed on a system such
as process creation, network connections or file changes.
Repositories:
Sigma: https://github.com/angelovioletti/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_ext_drive
Velociraptor: https://github.com/Velocidex/velociraptor-docs/blob/d891bf8671230437b2b4497649c28b9a6045252b/content/exchange/artifacts/BumbleBee.yaml
Yara: https://github.com/sec-consult/SD-BumbleBee-Hunting-Rules/blob/main/BumbleBee_Unpacked.yara
This research has been conducted by Angelo Violetti and published on behalf of  SEC Defence. 
Are you interested in working at SEC Consult?
SEC Consult is always searching for talented security professionals to work in our team.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 11 of 12

Source: https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Page 12 of 12