Get in Touch
Google ads push Bumblebee malware used by ransomware gangs
Target Industry
Targeting is indiscriminate and opportunistic due to the threat vector of search engine poisoning which is, by nature, an open trap.
Overview
Bumblebee is a Windows based malware designed to create initial access on a system, gather system information and serve as a platform to launch further exploitation, commonly through the deployment of ransomware. Using false download pages spread by fraudulent Google ads, end consumers looking for real software are misled into installing the malicious loader. This loader uses an Asynchronous Procedure Call (APC) injection to launch the shellcode from the commands received from the Command and Control (C2), in contrast to most other malware that uses process hollowing or DLL injection. Google’s Threat Analysis Group (TAG) has identified Bumblebee’s operators as Exotic Lily and has established a connection between them and Conti.
Exotic Lily acquires access to vulnerable corporate networks, sells that access to the threat group offering the highest price, and those threat organisations use that access to launch ransomware and other attacks on the target. The group conducts major phishing campaigns, sending as many as 5,000 emails each day to as many as 650 targeted companies worldwide.
Multiple well-known business products, including Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, contain trojanised installers for the Bumblebee malware. This suggests threat actors are seeking to target large businesses over individuals based on the chosen imitation of business applications. Known penetration testing implants like Cobalt Strike, Sliver, and Metasploit are deployed using the malware in the later stages of compromise.
Impact
This malware is typically used to create an opening in an organisation’s system that can be sold to threat actors or be used as a launching platform for ransomware or other methods of exploitation. This could lead to attackers initiating an attack with little to no resistance, or encryption and possible destruction of organisational data due to ransomware demands. The exploitation detailed can cause severe financial impact for an organisation and degradation of trust-based relationships with clients.
Vulnerability Detection
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats such as Bumblebee. EDRs can alert system users of potential breaches and prevent further progress prior to the malware causing severe damage.
The attack procedure typically follows two steps:
- A phishing email would be received with an ISO file type attached, a HTML document with a download link for an ISO file or a ZIP file containing the malicious files
- Excel.xlsb files with Excel 4.0 macros downloaded from Microsoft OneDrive after the user is redirected from a link to download and install Bumblebee files.
Affected Products
Windows OS based devices.
Containment, Mitigations & Remediations
Consider deploying EDR and Next-Generation Antivirus (NGAV) to all devices within your environments to allow for early detection. Detection opportunities include:
- .vbs execution as a scheduled task.
- .dll execution following an ISO container being mounted.
It is also recommended that customers regularly review inbound email policies and consider quarantining attachments from unknown or untrusted senders.
As the malicious practice of SEO poisoning continues to a prominent threat, it is recommended that personnel receive training on how to spot signs of masquerading websites and to avoid accessing sponsored or advertised sites at the top of search engine results.
Indicators of Compromise
Bumblebee associated MD5 hashes
- 254d757d0f176afa59ecea28822b3a71
- 59fc 33d8 49f9 ad2a b4e4 b7fe 4b44 3a33
Bumblebee associated SHA-1 hashes
- 3e59fff860826055423dde5bbd8830cceae17cf3
- e4ed0f94e8ad9aeeb019e6d253e2eefa83b51b5a
Bumblebee associated SHA-256 hashes
- 0ff8988d76fc6bd764a70a7a4f07a15b2b2c604138d9aadc784c9aeb6b77e275
- 2102214c6a288819112b69005737bcfdf256730ac859e8c53c9697e3f87839f2
Bumblebee associated SSDEEP hashes
- 24576:CjrA94pj6XmVW1MN90pbRYYeDADfI06nGjjO2:6KXENeVL776/2
- 24576:kjrA94pj6XmVW1MN9
Bumblebee associated domains.
- conlfex[.]com
- avrobio[.]co
- elemblo[.]com
- phxmfg[.]co
- modernmeadow[.]co
- lsoplexis[.]com
- craneveyor[.]us
- faustel[.]us
- lagauge[.]us
- missionbio[.]us
- richllndmetals[.]com
- kvnational[.]us
- prmflltration[.]com
- brightlnsight[.]co
- belcolnd[.]com
- awsblopharma[.]com
- amevida[.]us
- revergy[.]us
- al-ghurair[.]us
- opontia[.]us
Recent Bumblebee ISO samples:
- 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
- 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
- 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
- 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
- 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225
Recent Bumblebee C2:
- 23.81.246[.]187:443
Threat Landscape
The malicious advertising and search engine poisoning threat vector has been on the increase in recent months, with other examples including the distribution of Vidar Stealer via similar methods.
The malware has been observed using fake adverts which are imitating legitimate downloadable files for the following applications: Zoom, ChatGPT, Citrix and Cisco AnyConnect.
Threat Group
Several groups of threat actor groups have been associated with the use of this malware, such as:
- Exotic Lily
- Contiki
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID.
Mitre Methodologies
T1566 – Phishing
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter
T1497 – Virtualization/Sandbox Evasion
T1082 – System Information Discovery
T1053 – Scheduled Task/Job
T1012 – Query Registry
T1082 – System Information Discovery
T1552 – Unsecured Credentials
T1021 – Remote Services
T1496 – Resource Hijacking
Further Information
Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)
Everything You Need to Know About Bumblebee Malware (avertium.com)