Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Google ads push Bumblebee malware used by ransomware gangs

Target Industry 

Targeting is indiscriminate and opportunistic due to the threat vector of search engine poisoning which is, by nature, an open trap. 

 

Overview 

Bumblebee is a Windows based malware designed to create initial access on a system, gather system information and serve as a platform to launch further exploitation, commonly through the deployment of ransomware. Using false download pages spread by fraudulent Google ads, end consumers looking for real software are misled into installing the malicious loader. This loader uses an Asynchronous Procedure Call (APC) injection to launch the shellcode from the commands received from the Command and Control (C2), in contrast to most other malware that uses process hollowing or DLL injection. Google’s Threat Analysis Group (TAG) has identified Bumblebee’s operators as Exotic Lily and has established a connection between them and Conti. 

Exotic Lily acquires access to vulnerable corporate networks, sells that access to the threat group offering the highest price, and those threat organisations use that access to launch ransomware and other attacks on the target. The group conducts major phishing campaigns, sending as many as 5,000 emails each day to as many as 650 targeted companies worldwide. 

Multiple well-known business products, including Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, contain trojanised installers for the Bumblebee malware. This suggests threat actors are seeking to target large businesses over individuals based on the chosen imitation of business applications. Known penetration testing implants like Cobalt Strike, Sliver, and Metasploit are deployed using the malware in the later stages of compromise. 

 

Impact  

This malware is typically used to create an opening in an organisation’s system that can be sold to threat actors or be used as a launching platform for ransomware or other methods of exploitation. This could lead to attackers initiating an attack with little to no resistance, or encryption and possible destruction of organisational data due to ransomware demands. The exploitation detailed can cause severe financial impact for an organisation and degradation of trust-based relationships with clients. 

 

Vulnerability Detection 

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats such as Bumblebee. EDRs can alert system users of potential breaches and prevent further progress prior to the malware causing severe damage. 

The attack procedure typically follows two steps: 

  • A phishing email would be received with an ISO file type attached, a HTML document with a download link for an ISO file or a ZIP file containing the malicious files 
  • Excel.xlsb files with Excel 4.0 macros downloaded from Microsoft OneDrive after the user is redirected from a link to download and install Bumblebee files. 

 

Affected Products 

Windows OS based devices. 

 

Containment, Mitigations & Remediations 

Consider deploying EDR and Next-Generation Antivirus (NGAV) to all devices within your environments to allow for early detection. Detection opportunities include: 

 

  • .vbs execution as a scheduled task. 
  • .dll execution following an ISO container being mounted. 

 

It is also recommended that customers regularly review inbound email policies and consider quarantining attachments from unknown or untrusted senders. 

As the malicious practice of SEO poisoning continues to a prominent threat, it is recommended that personnel receive training on how to spot signs of masquerading websites and to avoid accessing sponsored or advertised sites at the top of search engine results. 

 

Indicators of Compromise 

Bumblebee associated MD5 hashes 

  • 254d757d0f176afa59ecea28822b3a71 
  • 59fc 33d8 49f9 ad2a b4e4 b7fe 4b44 3a33 

Bumblebee associated SHA-1 hashes 

  • 3e59fff860826055423dde5bbd8830cceae17cf3 
  • e4ed0f94e8ad9aeeb019e6d253e2eefa83b51b5a 

Bumblebee associated SHA-256 hashes 

  • 0ff8988d76fc6bd764a70a7a4f07a15b2b2c604138d9aadc784c9aeb6b77e275 
  • 2102214c6a288819112b69005737bcfdf256730ac859e8c53c9697e3f87839f2 

Bumblebee associated SSDEEP hashes 

  • 24576:CjrA94pj6XmVW1MN90pbRYYeDADfI06nGjjO2:6KXENeVL776/2 
  • 24576:kjrA94pj6XmVW1MN9 

Bumblebee associated domains. 

  • conlfex[.]com 
  • avrobio[.]co 
  • elemblo[.]com 
  • phxmfg[.]co 
  • modernmeadow[.]co 
  • lsoplexis[.]com 
  • craneveyor[.]us 
  • faustel[.]us 
  • lagauge[.]us 
  • missionbio[.]us 
  • richllndmetals[.]com 
  • kvnational[.]us 
  • prmflltration[.]com 
  • brightlnsight[.]co 
  • belcolnd[.]com 
  • awsblopharma[.]com 
  • amevida[.]us 
  • revergy[.]us 
  • al-ghurair[.]us 
  • opontia[.]us 

 

 

Recent Bumblebee ISO samples: 

  • 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32 
  • 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8 
  • 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9 
  • 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd 
  • 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225 

 

Recent Bumblebee C2: 

  • 23.81.246[.]187:443

 

Threat Landscape 

The malicious advertising and search engine poisoning threat vector has been on the increase in recent months, with other examples including the distribution of Vidar Stealer via similar methods.  

The malware has been observed using fake adverts which are imitating legitimate downloadable files for the following applications: Zoom, ChatGPT, Citrix and Cisco AnyConnect. 

 

Threat Group 

Several groups of threat actor groups have been associated with the use of this malware, such as: 

  • Exotic Lily 
  • Contiki 

The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID. 

 

Mitre Methodologies 

T1566 – Phishing 

T1190 – Exploit Public-Facing Application 

T1059 – Command and Scripting Interpreter 

T1497 – Virtualization/Sandbox Evasion 

T1082 – System Information Discovery 

T1053 – Scheduled Task/Job 

T1012 – Query Registry 

T1082 – System Information Discovery 

T1552 – Unsecured Credentials 

T1021 – Remote Services 

T1496 – Resource Hijacking 

 

Further Information 

Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com) 

Google ads push BumbleBee malware used by ransomware gangs – Cyber Reports Cybersecurity News & Information (cyber-reports.com) 

Everything You Need to Know About Bumblebee Malware (avertium.com) 

 

Intelligence Terminology Yardstick