# This isn't Optimus Prime's Bumblebee but it's Still Transforming **proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming** April 27, 2022 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) This isn't Optimus Prime's Bumblebee but it's Still Transforming ----- April 28, 2022 Kelsey Merriman and Pim Trouerbach ## Key Findings Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID. Several threat actors that typically use BazaLoader in malware campaigns have transitioned to Bumblebee. BazaLoader has not been seen in Proofpoint data since February 2022. Bumblebee is in active development and wields elaborate evasion techniques to include complex antivirtualization. Unlike most other malware that uses process hollowing or DLL injection, this loader utilizes an asynchronous procedure call (APC) injection to start the shellcode from the commands received from the command and control (C2). Proofpoint observed Bumblebee dropping Cobalt Strike, shellcode, Sliver, and Meterpreter. Threat actors using Bumblebee are associated with malware payloads that have been linked to follow-on ransomware campaigns. ## Overview Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. At least three clusters of activity including known threat actors currently distribute Bumblebee. Campaigns [identified by Proofpoint overlap with activity detailed in the Google Threat Analysis Group blog as leading to](https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti) Conti and Diavol ransomware. Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development. Bumblebee's objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping Cobalt Strike, shellcode, Sliver and Meterpreter. The malware name comes from the unique UserAgent "bumblebee" used in early campaigns. The increase of Bumblebee in the threat landscape coincides with BazaLoader a popular payload that facilitates follow-on compromises–disappearing recently from Proofpoint threat data. ## Campaign Details ----- Proofpoint researchers have observed Bumblebee being distributed in email campaigns by at least three tracked threat actors. The threat actors have used multiple techniques to deliver Bumblebee. While lures, delivery techniques, and file names are typically customized to the different threat actors distributing the campaigns, Proofpoint observed several commonalities across campaigns, such as the use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week. ### URLs and HTML Attachments Leading to Bumblebee In March 2022, Proofpoint observed a DocuSign-branded email campaign with two alternate paths designed to lead the recipient to the download of a malicious ISO file. The first path began with the recipient clicking on the "REVIEW THE DOCUMENT" hyperlink in the body of the email. Once clicked, this would link the user to the download of a zipped ISO file, hosted on OneDrive. _Figure 1: Email delivered March 2022 containing a URL and an HTML attachment_ Alternatively, the same email also contained an HTML attachment. The appearance of the opened HTML file masqueraded to look like an email containing a link to an unpaid invoice. The embedded URL in the HTML attachment used a redirect service which Proofpoint refers to as Cookie Reloaded, a URL redirect service which uses Prometheus TDS to filter downloads based on the time zone and cookies of the potential victim. The redirector in turn directed the user to a zipped ISO file, also hosted on OneDrive. ----- _Figure 2: HTML Attachment Containing Link to Cookie Reloaded URL Redirect_ The ISO file contained files named "ATTACHME.LNK" and "Attachments.dat". If ran, the shortcut file "ATTACHME.LNK" executed "Attachments.dat" with the correct parameters to run the downloader, Bumblebee. _Figure 3: Contents of the archive viewed in WinRAR_ _Figure 4: Contents of ISO viewed in WinRAR_ ----- Process tree from the shortcut file: _cmd.exe /c start /wait "" "C:\Users\[removed]\AppData\Local\Temp\ATTACHME.LNK"_ _rundll32.exe "C:\Windows\System32\rundll32.exe"_ _Attachments.dat,IternalJob_ _Figure 5: TA579 attack chain leading to Bumblebee_ Proofpoint researchers attributed this campaign with high confidence to the cybercriminal group TA579. Proofpoint has tracked TA579 since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns. ### Thread Hijacked, Zipped ISO Attachments Leading to Bumblebee In April 2022, Proofpoint observed a thread-hijacking campaign delivering emails that appeared to be replies to existing benign email conversations with malicious zipped ISO attachments. All the attachment names in this campaign used the pattern "doc_invoice_[number].zip". ----- _Figure 6: Email sample of a hijacked thread containing a malicious zipped ISO attachment_ The zipped ISO was password-protected and contained "DOCUMENT.LNK" and "tar.dll". The password was shared in the body of the email. The shortcut file "DOCUMENT.LNK", if ran, executed "tar.dll" with the correct parameters to start the Bumblebee downloader. _Figure 7: Process Tree from the shortcut file_ _Figure 8: Thread hijacking attack chain leading to Bumblebee_ ### Contact Forms "Stolen Images" Leading to Bumblebee In March 2022, Proofpoint observed a campaign delivering emails generated by submitting a message to a contact form on the target's website. Additionally, depending on how the website's "contact us" section was configured, the submission also left public comments regarding this topic on the target's site. The emails purported to be claims that stolen images existed on the website. ----- _Figure 9: Email sample containing a link to a landing page_ The "complaint" contained a link to a landing page which directed the user to the download of an ISO file containing "DOCUMENT_STOLENIMAGES.LNK" and "neqw.dll"). _Figure 10: Example Landing page_ The shortcut file, if ran, executed "neqw.dll" with the correct parameters to start the Bumblebee downloader. ----- _Figure 11: "Contact Form" attack chain leading to Bumblebee_ Proofpoint attributed this campaign to TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike. ## Relationship to Other Malware The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape. Additionally, Proofpoint assesses with moderate confidence the actors using Bumblebee may be considered initial access facilitators, that is, independent cybercriminal groups that infiltrate major targets and then sell access to followon ransomware actors. At least three tracked threat actors that typically distribute BazaLoader malware have transitioned to Bumblebee payloads, with BazaLoader last appearing in Proofpoint data in February 2022. BazaLoader is a first stage downloader first identified in 2020 that has been associated with follow-on [ransomware campaigns including Conti. Proofpoint researchers initially observed BazaLoader being distributed](https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/) in high volume by a threat actor that was primarily known to distribute the Trick banking trojan. _Figure 12: Timeline of select campaigns from BazaLoader and Bumblebee_ BazaLoader's apparent disappearance from the cybercrime threat landscape coincides with the timing of Conti Leaks, when, at the end of February 2022, a Ukrainian researcher with access to Conti's internal operations [began leaking data from the cybercriminal organization. Infrastructure associated with BazaLoader was](https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/) identified in the leaked files. ----- Proofpoint assesses with high confidence based on malware artifacts all the tracked threat actors using Bumblebee are receiving it from the same source. ## Malware Analysis Bumblebee is a downloader written in C++. The initial Bumblebee DLL sample analyzed contains two exports. One directly starts the thread for the Bumblebee main function. The other eventually leads to the same main function, but adds checks to see if hooks have been placed within key dynamic link libraries (DLLs). The LNK loading this DLL skips the default DllMain function and instead calls the export that checks for function hooks. _Figure 13: Screenshot of Bumblebee hook check_ The majority of the Bumblebee loader is condensed into a single function unlike most malware where initialization, request sending, and response handling are broken out into different functions. The loader starts with copying over the group ID which is effectively used as botnet identifier. Unlike most other malware, Bumblebee currently has its configuration stored in plaintext, but Proofpoint suspects that obfuscation may be added in the future. With the group ID copied, the loader resolves addresses for various NTDLL functions that allow it to properly perform injection later in the loading process. ----- _Figure 14: Group ID copied and set_ Once the functions are resolved a unique event is created that serves as a mutex to ensure only a single instance of the loader is running. _Figure 15: Event creation_ At this point, a single instance of Bumblebee is confirmed to be running, and the malware begins gathering system information. The following WMI queries are executed via a COM object to gather details needed for communication: _SELECT * FROM Win32_ComputerSystem_ _SELECT * FROM Win32_ComputerSystemProduct_ The hostname and UUID of the system are gathered and concatenated based on the query output. An MD5 hash of this value is then generated and turned into a hex digest. The result becomes the unique client ID of the bot. ----- _Figure 16: Client ID creation_ After the client ID has been generated, the loader creates the system version string which includes the caption of a WMI query, the host's username, and the domain of the host if applicable. With all this information gathered, the loader can start communication with the C2. The loader checks into the C2 every 25 seconds to retrieve commands. Unlike most malware that has a set of modules or payloads that are immediately returned to the bot, it appears the actors behind this malware manually deploy payloads to Bumblebee as it can take multiple hours before it receives any jobs to execute. Each server response contains a variation of the data shown in the figure below. If valid tasks are returned, the "tasks" value will be a list of dictionaries that contain all the task information. ----- _Figure 17: Bumblebee response_ Bumblebee loader supports the following commands: Shi: shellcode injection Dij: DLL injection Dex: Download executable Sdl: uninstall loader Ins: enable persistence on the bot ### Ins Command The Ins command enables persistence by copying the Bumblebee DLL to a subdirectory of %APPDATA% folder and creating a Visual Basic Script that will load the DLL. A scheduled task is created that invokes the Visual Basic Script via wscript.exe. _Figure 18: VBS script loading the DLL_ _Figure 19: Scheduled task created with the VBS file_ ### Dex Command The Dex command is the most rudimentary of the supported commands. It takes the base64 decoded content from the server response, writes it to disk at a hardcoded path and executes it via a COM object ----- _Figure 20: Dex command output_ ### Dij Command The Dij command adds the ability to inject DLLs into the memory of other processes. For injection targets, the malware picks one of three hardcoded options to inject the DLL into (ImagingDevices.exe, wab.exe, or wabmig.exe). _Figure 21: Identifying executable files as injection targets_ With a random executable picked, the loader starts the process in a suspended state (also via a COM object). This allows the malware to easily manipulate the process without causing issues. Next, it prepares the process for injection by enabling debug privileges so it can inject the shellcode necessary for execution. ----- _Figure 22: New process creation and enabling debug privileges_ With proper permissions set, data can be manipulated, and the loader writes shellcode to the suspended process, overriding the initial entry point with a new one. This implementation writes 32 bytes of shellcode and replaces a placeholder of with the resolved address of SleepEx. _Figure 23: SleepEx replacing the placeholder value_ ----- _Figure 24: Disassembled shellcode_ The "call RAX" instruction in the shellcode assembly shown in above figure gets replaced with the address of the SleepEx as seen in the previous figure and the shellcode calls SleepEx with a value of 1000 milliseconds. With the shellcode now injected into the process, the process can be resumed and the loader can inject the malicious payload into the executable via an APC routine. _Figure 25: Process injection via APC_ To properly inject, the loader creates two new sections within the injection target and copies the buffer from dij into the new section then invokes the copied contents in the target executable via a dynamically resolved _NtQueueApcThread._ _Figure 26: Creation of two new sections_ ----- _Figure 27: Calling the dynamically resolved NtQueueApcThread_ ### Malware Development Proofpoint researchers noticed that within a month of campaigns, Bumblebee developers added new features to the malware. Specifically, the inclusion of anti-VM and anti-sandbox checks. Below is the earlier sample: _Figure 28: Old Bumblebee sample_ And the more recent sample: _Figure 29: Updated Bumblebee sample with addition of check bad artifacts_ ----- Researching the new functionality revealed a neat surprise: _Figure 30: Decompilation of the malware's firmware check_ _Figure 31: Open source code from Al Khaser showing the exact same check_ ----- [The above figures are part of the Al Khaser suite which is a common tool used to check for VM artifacts. It](https://github.com/LordNoteworthy/al-khaser/blob/06d4a89e9ecc3e49e4d2df67fe0b2d6faf04166e/al-khaser/Shared/Utils.cpp#L950) appears that the developers of the Bumblebee loader rely on open-source tooling, just like standard developers. ## Significant Update Proofpoint noted significant changes to Bumblebee functionality in the latest version of Bumblebee observed on April 19, 2022. Support for multiple C2s via a comma delimited list is now supported. _Figure 32: Multiple embedded C2s_ The sleep interval in the older versions was previously hardcoded at 25 seconds but now that has been replaced with a randomized value. _Figure 33: Addition of random sleep values_ The most significant change to the malware has been the addition of an encryption layer to the network communications. The developers added RC4 via a hardcoded key to the sample which is used to encrypt the requests and decrypt the responses. _Figure 34: encryption of the request_ ----- _Figure 35: decryption of the response_ As another marker of this group demonstrating their fast development velocity, on April 22 Proofpoint observed this group adding a new thread to Bumblebee that checks current running processes against a hardcoded list of common tools used by malware analysts. This thread gets created at the beginning of the Bumblebee process. _Figure 36: The Bumblebee main function showing the start of the new thread._ ----- _Figure 37: The list of tools Bumblebee checks for._ If any of these processes are found, the function returns 1 which triggers the main Bumblebee thread to be terminated. ## Conclusion Bumblebee is a sophisticated malware loader that demonstrates evidence of ongoing development. It is used by multiple cybercrime threat actors. Proofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware. Based on the timing of its appearance in the threat landscape and use by multiple cybercriminal groups, it is likely Bumblebee is, if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware. ## Indicators of Compromise **Indicator** **Type** **Description** ----- c6ef53740f2011825dd531fc65d6eba92f87d0ed1b30207a9694c0218c10d6e0 SHA256 31 March–1 April 2022 ISO Sample a72538ba00dc95190d6919756ffce74f0b3cf60db387c6c9281a0dc892ded802 SHA256 31 March–1 April 2022 Bumblebee Sample 77f6cdf03ba70367c93ac194604175e2bd1239a29bc66da50b5754b7adbe8ae4 SHA256 5 April 2022 ISO Sample 0faa970001791cb0013416177cefebb25fbff543859bd81536a3096ee8e79127 SHA256 5 April 2022 Bumblebee Sample Fe7a64dad14fe240aa026e57615fc3a22a7f5ba1dd55d675b1d2072f6262a1 SHA256 28 March–1 April 2022 ISO Sample 08CD6983F183EF65EABD073C01F137A913282504E2502AC34A1BE3E599AC386B SHA256 10 March unpacked Bumblebee sample **ET Signatures** ET MALWARE Win32/BumbleBee Loader Activity ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee) Subscribe to the Proofpoint Blog -----