S1039 Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of “bumblebee” in the user-agent.321
| Item | Value |
|---|---|
| ID | S1039 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 19 August 2022 |
| Last Modified | 21 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.5 |
| enterprise | T1560 | Archive Collected Data | Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.5 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Bumblebee can use PowerShell for execution.4 |
| enterprise | T1059.003 | Windows Command Shell | Bumblebee can use cmd.exe to drop and run files.32 |
| enterprise | T1059.005 | Visual Basic | Bumblebee can create a Visual Basic script to enable persistence.21 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Bumblebee has the ability to base64 encode C2 server responses.2 |
| enterprise | T1005 | Data from Local System | Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.5 |
| enterprise | T1622 | Debugger Evasion | Bumblebee can search for tools used in static analysis.4 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.24 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Bumblebee can encrypt C2 requests and responses with RC42 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Bumblebee can send collected data in JSON format to C2.3 |
| enterprise | T1008 | Fallback Channels | Bumblebee can use backup C2 servers if the primary server fails.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Bumblebee can uninstall its loader through the use of a Sdl command.2 |
| enterprise | T1105 | Ingress Tool Transfer | Bumblebee can download and execute additional payloads including through the use of a Dex command.321 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | Bumblebee can use a COM object to execute queries to gather system information.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Bumblebee has named component DLLs “RapportGP.dll” to match those used by the security company Trusteer.4 |
| enterprise | T1106 | Native API | Bumblebee can use multiple Native APIs.24 |
| enterprise | T1027 | Obfuscated Files or Information | Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.254 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Bumblebee has gained execution through luring users into opening malicious attachments.2154 |
| enterprise | T1566.002 | Spearphishing Link | Bumblebee has been spread through e-mail campaigns with malicious links.25 |
| enterprise | T1057 | Process Discovery | Bumblebee can identify processes associated with analytical tools.214 |
| enterprise | T1055 | Process Injection | Bumblebee can inject code into multiple processes on infected endpoints.5 |
| enterprise | T1055.001 | Dynamic-link Library Injection | The Bumblebee loader can support the Dij command which gives it the ability to inject DLLs into the memory of other processes.21 |
| enterprise | T1055.004 | Asynchronous Procedure Call | Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.2 |
| enterprise | T1012 | Query Registry | Bumblebee can check the Registry for specific keys.4 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.21 |
| enterprise | T1129 | Shared Modules | Bumblebee can use LoadLibrary to attempt to execute GdiPlus.dll.4 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Bumblebee can identify specific analytical tools based on running processes.214 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.008 | Odbcconf | Bumblebee can use odbcconf.exe to run DLLs on targeted hosts.5 |
| enterprise | T1218.011 | Rundll32 | Bumblebee has used rundll32 for execution of the loader component.21 |
| enterprise | T1082 | System Information Discovery | Bumblebee can enumerate the OS version and domain on a targeted system.321 |
| enterprise | T1033 | System Owner/User Discovery | Bumblebee has the ability to identify the user name.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.25 |
| enterprise | T1204.002 | Malicious File | Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.2154 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Bumblebee has the ability to perform anti-virtualization checks.2 |
| enterprise | T1497.001 | System Checks | Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.4 |
| enterprise | T1497.003 | Time Based Evasion | Bumblebee has the ability to set a hardcoded and randomized sleep interval.2 |
| enterprise | T1102 | Web Service | Bumblebee has been downloaded to victim’s machines from OneDrive.2 |
| enterprise | T1047 | Windows Management Instrumentation | Bumblebee can use WMI to gather system information and to spawn processes for code injection.325 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1011 | EXOTIC LILY | 3 |
References
-
Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. ↩↩↩↩↩↩↩↩↩↩↩
-
Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩↩↩↩↩↩↩↩
-
Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. ↩↩↩↩↩↩↩↩↩↩↩