Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

BumbleBee hunting with a Velociraptor

BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently analyzed by Angelo Violetti of SEC Defence – the Digital Forensics and Incident Response team of SEC Consult, an Eviden business.

During his research, he used several tools and techniques to define ways to detect the presence of BumbleBee on a compromised infrastructure.

The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community.

Introduction

Ransomware attacks, combined with data exfiltration, are one of the most relevant cyber threats for companies worldwide, as reported by the Enisa Threat Landscape 2022. According to the NIST’s Incident Handling guide, the prevention and detection phases of those types of attacks can be crucial to minimize the potential incident’s impacts (e.g., operational, legal, etc.).

To gain initial access into a victim’s infrastructure, ransomware operators abuse mostly the following techniques:

  • Phishing campaigns, also conducted by initial access brokers1, that deliver malware which acts as a loader for subsequent post-exploitation frameworks like Cobalt Strike or Meterpreter.
  • Exposed vulnerable services that can be exploited to execute arbitrary commands remotely.
  • Compromised accounts that allow the threat actor to login into services like VPN.

One of the newest malware families, first discovered by the Google Threat Analysis Group in 2021, and delivered by initial access brokers is called BumbleBee and it has been used by the well-known Russian group Wizard Spider which has been linked to ransomware like Conti, Quantum, Royal, etc.

In this article, SEC Defence shows the analysis that has been performed of a BumbleBee sample and provides some threat hunting methods to detect BumbleBee techniques.

 

BumbleBee

BumbleBee is commonly distributed via malicious ISO images. and abuses thread-hijacking emails to induce the victims to download the ISO file and subsequently open it. When executed, BumbleBee performs mainly the following actions:

  • Verifies if it is running in an analysis or sandboxing environment by performing various checks like enumerating the registry keys and drivers related to VMware or VirtualBox.
  • Gathers information about the compromised system through WMI queries.
  • Connects to the command and control (C2) servers embedded into the malware configuration that is RC4 encrypted.

Furthermore, BumbleBee can also receive specific commands from the threat actors that can be useful for further malicious actions like achieving persistence and downloading other malware (e.g., Cobalt Strike).

Malware Analysis & Detection

The BumbleBee sample analyzed is the following ISO file, which is available on Malware Bazaar.

BumbleBee Execution Process

The ISO file analyzed contained three files, two hidden and one visible LNK file.

When opened, the LNK file launches cmd.exe to execute the hidden BAT file.

The threat actors slightly obfuscated the BAT file by assigning a unique string to every letter of the alphabet to hide the executed final command.

Obfuscated BAT file:

By de-obfuscating the BAT file, it is possible to see that it copies the rundll32 executable into the ProgramData directory and then launches the BumbleBee DLL (network.dll).

De-obfuscated BAT file:

Defense Evasion: Mark-of-the-Web Bypass

BumbleBee abuses ISO images to evade a Windows mechanism called Mark-of-the-Web. Such a mechanism tracks, through a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifiers, files downloaded from the Internet which trigger security measures on the tracked files.

Velociraptor

The Velociraptor artifact called Windows.Detection.ISOMount can be used to search for ISO files mounted this activity is tracked in the Windows Event Logs with EventID 22.

The following image shows the identification of the BumbleBee ISO image mounting.

Masquerading: Rename System Utilities Detection

The technique used by the BAT file is called Rename System Utilities and consists of copying itself into a specific folder, modifying the name of the executable in order to evade security mechanisms.

Velociraptor

Velociraptor natively offers an artifact named Windows.Detection.BinaryRename to hunt for known executables that are copied and re-named by threat actors.

The following image shows the identification of this technique through Velociraptor.

Windows Event Logs

By looking at Sysmon2 Event ID 1, we notice that the OriginalFileName value does not match the executable name specified in the Image value.

Therefore, it is possible to hunt for this pattern also through the following Sigma rule:

The full Sigma rule can be found here.

Execution: System Binary Proxy Execution Detection

BumbleBee executes the malicious DLL through Rundll32 with the aim to hide the malware from security applications.

Velociraptor

SEC Defence has created the following Yara rule that can be used to detect running BumbleBee processes through the Velociraptor artifact Windows.Detection.Yara.Process.

The Yara rule is based on the operations performed by the malware when decrypts its embedded configuration containing the command and control servers.

The following image shows the identification of BumbleBee processes through SEC Defence Yara rule and Velociraptor.

Windows Event Logs

Since at time of execution BumbleBee DLL is located on the mounted ISO file, when rundll32.exe is executed, its current directory is set to the external drive, as shown by the following Sysmon Event ID 1.

To detect this behaviour, SEC Defence has defined the following Sigma rule:

Command & Control: Application Layer Protocol

After compromising the victim’s workstation, BumbleBee contacts the C2 servers that are RC4 encrypted in the binary. By analyzing the process memory, it is possible to notice various IP addresses followed by a destination port, however, only a part of them is associated with port 443 (HTTPS) and are actually used as a C2.

Velociraptor

To automatically extract the C2 server addresses from the malware, SEC Defence created further Velociraptor artifacts that firstly detects BumbleBee processes and secondly extracts the IP addresses which have port 443 associated.

The following image shows the output produced by the SEC Defence Velociraptor artifact.

Network Traffic Analysis

Another method to detect connections to C2 servers is by integrating and constantly updating Cyber Threat Intelligence feeds and detection rules with network security technologies.

In this specific case, the following Proofpoint Emerging Threat Rules were triggered:

  • ET CNC Feodo Tracker Reported CnC Server group 1: 103[.]144[.]139[.]146
  • ET CNC Feodo Tracker Reported CnC Server group 10: 205[.]185[.]113[.]34
  • ET CNC Feodo Tracker Reported CnC Server group 11: 23[.]106[.]223[.]222
  • ET CNC Feodo Tracker Reported CnC Server group 25: 95[.]168[.]191[.]248

 

Suggested Remediation / Other Actions

  • Proactively hunt at scale for the subsequent actions that could have been performed by the threat actors after having compromised the patient zero (e.g., discovery, credential access, lateral movement, etc.).
  • Isolate, where possible, the compromised systems to contain the incident and prevent the spread of the infection.
  • Block the indicators of compromise (IoCs) identified during the analysis and, eventually, insert in blacklists also the indicators reported on OSINT sources like Malware Bazaar, Feodo Tracker, etc.
  • If support in handling the incident is needed, contact the incident response team.

 

Conclusion

By analyzing the tactics, techniques and procedures adopted by BumbleBee, SEC Defence identified and created mechanisms to detect the malware in the early stages of the attack with the aim objective to minimize further potential impacts such as data exfiltration and/or encryption.

As stated by other companies (Mandiant, Intrisec), the threat actors behind BumbleBee have a strong relationship with other malware families like Emotet or IcedID and ransomware groups. Therefore, proactively hunting for BumbleBee activities or applying the right remediation actions in time can prevent the execution of other malicious executables that could cause service unavailability or impact the confidentiality and integrity of data.

 

1 Initial access brokers are cyber-criminals that sell access to compromised infrastructures to other groups with the aim to obtain a financial gain.
2 Sysmon (System Monitor) is a Windows service that allows logging a wide range of activities performed on a system such as process creation, network connections or file changes.

 

Repositories:

Sigma: https://github.com/angelovioletti/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_ext_drive.yml

Velociraptor: https://github.com/Velocidex/velociraptor-docs/blob/d891bf8671230437b2b4497649c28b9a6045252b/content/exchange/artifacts/BumbleBee.yaml

Yara: https://github.com/sec-consult/SD-BumbleBee-Hunting-Rules/blob/main/BumbleBee_Unpacked.yara

This research has been conducted by Angelo Violetti and originally published on on the SEC Consult Blog, on behalf of SEC Defence.

Posted on: April 27th, 2023

Angelo Violetti

By Angelo Violetti
DFIR consultant at SEC Consult, an Eviden business

Follow or contact Angelo:

Share this article

Follow us on

Related links

Protecting your business to face cybersecurity challenges
Atos Managed Security Services – Advanced Detection and Response
Security Operation Center, SOC