Menu Close

[ Intelligence ] (TLP:CLEAR) Modular BumbleBee Loader Distributed via Trojanized Software Installers

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/

Summary: On April 20, 2023, Secureworks’ Counter Threat Unit researchers reported on a malicious campaign deploying the modular loader, tracked as BumbleBee, via trojanized well-known software installers. Some trojanized software installers include Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. The campaign also used malicious Google Ads or SEO poisoning to lure victims into accessing a fake WordPress download page hosting the trojanized software installer.

According to Secureworks’ report, the trojanized software installer is an MSI installer containing 2 files, a legitimate installer of the software, and a PowerShell script. The PowerShell script is responsible for deploying the BumbleBee loader payload in the targeted system’s memory. After deploying the BumbleBee loaded and successfully infecting the victim’s system, the adversaries continue with their malicious activities after a delay of approximately 3 hours to evade detection.

Moreover, the adversaries will then deploy additional payloads, such as Cobalt Strike, and legitimate remote access tools like AnyDesk and DameWare to move laterally within the compromised system. The adversaries also deploy network scanning tools and malicious scripts to perform Kerberoasting attacks and scan active directories and networks.

Secureworks Report: hxxps://www.secureworks[.]com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads

NYSIC CAU Analyst Note:  In one incident the researchers examined, a malicious Google advertisement sent users to a hacked WordPress site, which then redirected users to a fake download page that mimicked a Cisco program. Users who attempted to download the program could find their devices infected with Bumblebee.  Bumblebee malware was first detected in 2021 by Google’s Threat Analysis Group and is linked to several threat actors and high-profile ransomware operations, including  Quantum and MountLocker.  Bumblebee has also been deployed by the Exotic Lily threat actor, a financially motivated group that often makes use of ransomware variants like Diavol and Conti. Google believes the group may be working with the Russian cyber gang known as FIN12.

Sources:
hxxps://www.bleepingcomputer[.]com/news/security/google-ads-push-bumblebee-malware-used-by-ransomware-gangs/
hxxps://www.infosecurity-magazine[.]com/news/trojanized-installers-distribute/
hxxps://www.techradar[.]com/news/this-painful-malware-targets-new-victims-through-google-ads

This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, 
TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/