# Tracking Bumblebee’s Development ### Suweera De Souza ###### Senior Security Researcher at ----- ##### ● Bumblebee’s development timeline ##### ● Endpoint Detection and Response (EDR) Evasion Techniques ##### ● Assessment about the developers ##### ● CrowdStrike Name: Shindig ----- |15 September 2021|Col2| |---|---| |Reporting on CVE-2021-40444 attacks1|| ||| |17 March 2022|17 March 2022|Col3| |---|---|---| |First reporting of Bumblebee2 31 January 2022 First build as a bot|First reporting of Bumblebee2|| |||| |First build as a bot||| |||| |Back from hiatus|Col2| |---|---| ||| |Col1|Col2| |---|---| |3 Major Affiliates|| |1 Major Februar|Col2|Col3|Col4| |---|---|---|---| ||1 Major||Affiliate| 1 **10 August 2022** **Hiatus** **17 March 2022** **19 January 2023** **15 September 2021** Back from First reporting hiatus of Bumblebee[2] Back from Reporting on hiatus CVE-2021-40444 attacks[1] **31 January 2022** **9 October 2022** First build as a _SmokeBot_ bot Distribution _BatLoader_ 3 Major Affiliates Distribution 1 Major Affiliate **March 2022** **24 October 2022** **February 2023** 1 Major Affiliate ----- ----- |Loader Start Bot Start ● If EDR hook is present on RtlExitUserProcess, ensure Bumblebee’s thread finished execution to prevent EDR from accessing the thread ● Technique gets swapped for Thread execution hijacking|Col2|Col3|Col4|Col5|Col6|Col7|Col8| |---|---|---|---|---|---|---|---| ||Loader Start ok is present on serProcess, ensure ee’s thread finished execution t EDR from accessing the e gets swapped for Thread hijacking|Loader Start|||||| |● If EDR ho RtlExitU Bumbleb to preven thread ● Techniqu execution|ok is present on serProcess, ensure ee’s thread finished execution t EDR from accessing the e gets swapped for Thread hijacking||||||| ||||||||| Loader introduced with remote library injection **Hiatus** **Execution** **Evasion** **Build** **Loader Start** If EDR hook is present on RtlExitUserProcess , ensure ’s thread finished execution to prevent EDR from accessing the Technique gets swapped for Thread execution hijacking Loader introduced with remote library injection **Hiatus** **Execution** **Evasion** **Build** ----- ##### ● Masquerades Bumblebee’s main DLL as a legitimate DLL ● Hooks APIs used by NTDLL for mapping and loading DLLs ###### ○ Emulates their operations against a memory region ##### ● POC released in 2004[1] ● Observed used by Ramnit[2] ----- ##### ● Masquerades Bumblebee under a decoy start routine ###### ○ Start routine is hidden under RtlNewSecurityObjectWithMultipleInheritance ##### ● Swaps the start routine in the suspended thread’s context ● Typically used for process injection[1] ##### ● Observed used by COZY BEAR C2-Client Dropbox Loader[2] ----- ##### ● WebSocket protocol ● Message is stored as JSON ● Message is RC4 encrypted ##### ● The hit message is crafted from the Al-Khaser techniques ###### Task Result Request from Chrome and MSEdge ###### Ping Beaconing-style communication - messages are sent in a loop ###### Hit binary_db contains browsing history from Chrome and MSEdge ###### Task ----- |Col1|Col2|Col3|Unencrypt request/re|Col5|Col6|Col7|Col8|Encrypted Task request/response|Col10|Col11|Col12|Col13|Col14|Col15| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||Unencrypt request/re||ed Task sponse|||||||| ||||request/r||request/r|||||||||| |||||||||||||||| ||||||||||Encrypted Task request/response|||||| |||||||||r|r|||Pin reques||g + Task t/response| |||||||||||||re||| |||||||||||||||| |||||||||||||||| |||||||||||||||| |||||||||||||||| |Updates grouped by: ● Protocol ● User-Agent string ● URL endpoint string ● Client version||||||||||||||| |● JSON Messages||||||||||||||| |||||||||||||||| Unencrypted Task request/response Bot start Encrypted Task Loader request/response introduced Ping + Task request/response Updates grouped by: - Protocol - User-Agent string - URL endpoint string Unencrypted Task request/response Encrypted Task request/response ----- ----- |Persistence is different based on ● PowerSploit ○ DPAPI for system e ○ Schedule task exec uses DPAPI to decr ● Packed DLL ○ Scheduled task use odbcconf to execute|the loader us ncryption1 utes a script t ypt the PS fil s LOLBin the DLL|ed: hat e| |---|---|---| |||| |Initially a simple implementation o|f gdt was bei|ng tested2| |||| |||| ||tem.security.cryp|| |R n c|emote amed p ommun|Procedure Call (RPC) with ipes is used to icate with the plugins3| |---|---|---| ||=windows|| Bot start Persistence is different based on the loader used: _●_ _PowerSploit_ _○_ DPAPI for system encryption[1] - Schedule task executes a script that uses DPAPI to decrypt the PS file - Packed DLL - Scheduled task uses LOLBin odbcconf to execute the DLL Initially a simple implementation of gdt was being tested[2] Remote Procedure Call (RPC) with named pipes is used to communicate with the plugins[3] **[1https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=windowsdesktop-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=windowsdesktop-6.0)** ----- #### Injection (with WMI) ##### ● Injected code is added to the target process thread’s APC queue which gets executed when the thread enters an alterable state[1] ● Bumblebee injects its payloads into processes created with WMI ###### DLL Injection ----- ##### ● Removes EDR hooks on APIs ###### ○ Compares the API’s instructions in memory to that of the physical file ○ Compares instructions with a Length disassembler ○ Copy API’s instructions from physical file to memory ##### ● Uses Remote Library Injection to load the payload DLL as a legitimate DLL ● Implementation matches libsplice[1] ###### ○ Commonly observed: ###### ■ Ramnit, TrickBot, BokBot ■ Game cheats ----- ##### ● Mapping activity to the software development lifecycle ###### ○ Agile methodology ■ First release is a minimal viable product (MVP) - 31 January 2022 - 31 March 2022 ■ Phase 2 introduced more EDR evasion - 31 March 2022 onwards ○ C2 infrastructure worked on during “hiatus” ##### ● Stepping out of the norm ###### ○ No API hashing or string obfuscation ■ Likely a result of using EDR evasion during execution ##### ● Mature dev practices: ###### ■ Boost ● C2 communication ● Command execution ■ libsplice - for Splicing ----- ## Thank You! -----