CINXE.COM

<!doctype html><html class="no-js" lang="en"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="author" content="Cybereason Global SOC Team"> <meta name="description" content="Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data..."> <meta name="generator" content="HubSpot"> <title>THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control</title> <link rel="shortcut icon" href="https://www.cybereason.com/hubfs/cr-favicon-1.png"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data..."> <meta property="og:title" content="THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control"> <meta name="twitter:description" content="Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data..."> <meta name="twitter:title" content="THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386203/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443237/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042214535/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/1669911113479/module_86933076631_CR_-_Sticky_CTA_Bar.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hubfs/hub_generated/module_assets/1/34473990280/1737144821509/module_CR_-_Footer_Full__en_US.min.css">  <script> var _hsp = window._hsp = window._hsp || []; window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} var useGoogleConsentModeV2 = true; var waitForUpdateMillis = 1000; var hsLoadGtm = function loadGtm() { if(window._hsGtmLoadOnce) { return; } if (useGoogleConsentModeV2) { gtag('set','developer_id.dZTQ1Zm',true); gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': waitForUpdateMillis }); _hsp.push(['useGoogleConsentModeV2']) } (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TJVVB7C'); window._hsGtmLoadOnce = true; }; _hsp.push(['addPrivacyConsentListener', function(consent){ if(consent.allowed || (consent.categories && consent.categories.analytics)){ hsLoadGtm(); } }]); </script>  <script src="https://use.typekit.net/vyv2ljd.js"></script> <script>try{Typekit.load({ async: false });}catch(e){}</script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> <link rel="preload" href="/hubfs/__dam/fonts/ionicons.eot" as="font" type="font/otf" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Regular.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Medium.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/peristyle/Peristyle-Black.woff2" as="font" type="font/woff2" crossorigin> <link rel="amphtml" href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control?hs_amp=true"> <meta property="og:image" content="https://www.cybereason.com/hubfs/blog-post-text%20-%202022-08-15T115923.524.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="628"> <meta name="twitter:image" content="https://www.cybereason.com/hubfs/blog-post-text%20-%202022-08-15T115923.524.png"> <meta property="og:url" content="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control"> <meta name="twitter:card" content="summary_large_image"> <link rel="canonical" href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control"> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.cybereason.com/blog/rss.xml"> <meta name="twitter:domain" content="www.cybereason.com"> <script src="//platform.linkedin.com/in.js" type="text/javascript"> lang: en_US </script> <meta http-equiv="content-language" content="en"> <link rel="stylesheet" href="//7052064.fs1.hubspotusercontent-na1.net/hubfs/7052064/hub_generated/template_assets/DEFAULT_ASSET/1740078158215/template_layout.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470223313/1696396395659/__CR_Web_Platform/CSS/cr-master__cta.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hubfs/hub_generated/template_assets/1/34470477360/1736810313166/template_cr-master__main.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35275979682/1642096258129/__CR_Web_Platform/CSS/ionicons.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42760289143/1724041950600/__CR_Web_Platform/CSS/cr-mln__build.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470224480/1635957556830/__CR_Web_Platform/CSS/bulma/cr-framework__bulma-columns.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35291999472/1696396871390/__CR_Web_Platform/CSS/bulma/cr-framework__bulma.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42363645447/1635957556555/__CR_Web_Platform/CSS/hamburger-animation.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507091846/1635957557027/__CR_Web_Platform/CSS/animate.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap" rel="stylesheet"> <script src="/hubfs/dam/plugins/marker-animation.js"></script> <script> $(document).ready(function() { $('.highlight').markerAnimation({ "color":'var(--cr-yellow)', "font_weight":'normal', "background-size": '200% 1.2em' }); }); </script> <style> .cr-mln__blog-post .container-is-blog.cr-mln__blog-post--body .column.is-7-fullhd.is-7-desktop img { background: #FFFFFF; border: 1px solid #CCCCCC; border-radius: 5px 5px 5px 5px; padding: 10px; } </style> </head> <body class=" hs-content-id-82045466995 hs-blog-post hs-blog-id-5272851739" style="">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TJVVB7C" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="header-container-wrapper"> <div class="header-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433790649568" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section id="cr-malicious-life-network__tier-one-header" class="position-flex"> <div class="#"> <div id="logo"><a href="https://www.cybereason.com"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-black.png"></a></div> <div id="back-to"> <a href="https://www.cybereason.com">Back to <span>Cybereason.com</span></a> </div>  <button class="hamburger hamburger--collapse" type="button"> <span class="hamburger-box"> <span class="hamburger-inner"></span> </span> </button> <div class="cr-mln__hamburger-menu--overlay"> <ul> <li><a href="https://www.cybereason.com/blog/all"><span class="underline">All Posts</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> <div class="subscribe"> <a href="#blog-subscribe">Subscribe</a> </div> </div>  </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget mln-homepage" style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433785464566" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section class="cr-malicious-life-network__hero-main base"> <div class="container-is-blog columns hero-content page-center"> <div class="column is-5-fullhd is-5-desktop is-12-touch"> <a href="/blog"><img class="cr-mln-logo" src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-malicious-life-logo-v2.png"></a> </div> <div class="column is-7-fullhd is-7-desktop is-hidden-mobile is-hidden-tablet-only"> <div class="cr-mln__search-subscribe"> <div class="cr-mln__search"> <a href="#cr-search-modal" class="search-btn"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/cr-blog-icon--search-dark-gray.png" alt="Search"></a> </div> <div class="cr-mln__subscribe"> <a class="btn-subscribe" href="#blog-subscribe">Subscribe</a> </div> </div> <div class="cr-mln__category-nav"> <ul> <li><a href="/blog/category/all"><span class="underline">All</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> </div> </div> </div>  <div class="container-is-blog columns is-gapless is-hidden-desktop cr-mln__search-subscribe--mobile"> <div class="column"> <a class="search-btn">Search</a> </div> <div class="column"> <a class="#" href="#blog-subscribe">Subscribe</a> </div> </div>   <div id="cr-search-modal">  <div id="btn-close-modal" class="close-cr-search-modal"> X </div> <div class="modal-content"> <div class="container columns"> <div class="column"> <div class="cr-search-modal__search-bar"> <h3>Search</h3> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search..."> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> </div> </div> </div> </div>  </section></div> </div> </div> </div> </div> </div> <div class="body-container-wrapper"> <div class="body-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12"> <div class="cr-mln__blog-post"> <div class="container-is-blog columns is-multiline page-center"> <div class="column is-8-fullhd is-8-desktop is-offset-2-fullhd is-offset-2-desktop is-10-tablet is-offset-1-tablet"> <div class="featured-image"><img src="https://www.cybereason.com/hubfs/blog-post-text%20-%202022-08-15T115923.524.png" alt=""></div> <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control</span></h1> <div class="cr-mln__post-author-share"> <div id="hubspot-author_data" class="hubspot-editable cr-mln__post-meta" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author"> <span class="descriptor">Written By</span> <p><span class="author">Cybereason Global SOC Team</span></p> </div> </div> </div>   <div class="container-is-blog columns is-multiline page-center cr-mln__blog-post--body"> <div class="column is-7-fullhd is-7-desktop is-10-tablet is-10-mobile is-offset-1-fullhd is-offset-1-desktop is-offset-1-tablet is-offset-1-mobile"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>The <a href="/blog/authors/cybereason-global-soc-team" rel="noopener" target="_blank"><span>Cybereason Global Security Operations Center (GSOC) Team</span></a> issues Cybereason <a href="/blog/category/research" rel="noopener" target="_blank"><span>Threat Analysis Reports</span></a> to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.</p>  <p>In this Threat Analysis report, Cybereason GSOC team analysts have analyzed a case that involved a <a href="https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/" rel="noopener" target="_blank"><span>Bumblebee Loader</span></a> infection. Following this introduction, we describe in detail the attack chain from the initial Bumblebee infection to the compromise of the entire network.</p> <h2>Key Findings</h2> <ul> <li aria-level="1"><strong>User-Driven Execution: </strong>The majority of the infections with Bumblebee we have observed started by end-users executing <a href="/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices" rel="noopener" target="_blank"><span>LNK files </span></a>which use a system binary to load the malware. Distribution of the malware is done by phishing emails with an attachment or a link to the malicious archive containing Bumblebee.</li> <li aria-level="1"><strong>Intensive Reconnaissance and Data Exfiltration: </strong>Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.</li> <li aria-level="1"><strong>Active Directory Compromise: </strong>The attackers compromised Active Directory and leveraged confidential data such as users’ logins and passwords for lateral movement. The time it took between initial access and Active Directory compromise was less than two days.<strong> </strong></li> <li aria-level="1"><strong>Under Active Development: </strong>Cybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors.</li> <li aria-level="1"><strong>Critical Severity: </strong>Attacks involving Bumblebee must be treated as critical. Based on GSOC findings, the next step for the threat actors is ransomware deployment, and this loader is known for ransomware delivery. </li> <li aria-level="1"><strong>Cybereason Managed Detection and Response (MDR)</strong>: The Cybereason GSOC team has a zero-tolerance policy towards attacks involving Bumblebee and any other loader, and categorizes such attacks as critical, high-severity incidents. The <a href="/services/managed-detection-response-mdr" rel="noopener" target="_blank"><span>Cybereason GSOC MDR Team</span></a> issues a comprehensive report to customers when such an incident occurs. The report provides an in-depth overview of the incident, which helps to understand the scope of the compromise and the impact on the customer’s environment. These reports also provide attribution information whenever possible, as well as recommendations for threat mitigation and isolation. </li> <li aria-level="1"><strong>Detected and Prevented</strong>: The <a href="/platform#graphic" rel="noopener" target="_blank"><span>Cybereason Defense Platform</span></a> effectively detects and prevents infections from Bumblebee.</li> </ul> <h2>Introduction</h2> <p>In March 2022, a new malware loader was discovered by <a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" rel="noopener" target="_blank"><span>Google Threat Analysis Group</span></a>. This loader is named Bumblebee because of its unique user agent, “Bumblebee,” that is used as part of the communication with the command and control server (C2).</p> <p>Cybereason GSOC observed the distribution of the loader via spear phishing emails which contain archives with ISO files as attachments or links to download the archive from external sources. The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file.</p> <p>After initial execution, the most notable post-exploitation activities performed by Bumblebee are privilege escalation, reconnaissance, and credential theft, which are detailed in this report. </p> <p>Bumblebee operators use the Cobalt Strike framework throughout the attack. The threat actors use the obtained credentials to access Active Directory and make a copy of<em> ntds.dit</em> containing data for the entire Active Directory. Lastly, a domain administrator account is used to move laterally, create local user accounts, and exfiltrate data using Rclone software.</p> <p>Cybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be <a href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" rel="noopener" target="_blank"><span>in active development</span></a> and generally the loader of choice for many threat actors.</p> <p>We have previously analyzed the loader in detail, and the report is available <a href="https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056" rel="noopener" target="_blank"><span>here</span></a>. In this research, we chose to focus on post-exploitation actions and Tactics, Techniques, and Procedures (TTPs). </p> <h2>Analysis</h2> <h3 style="font-weight: normal;"><span style="color: #434343;">Timeline</span></h3> <p>Following table summarizes the activities timeline from initial compromise to the data exfiltration:</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <tbody> <tr> <td style="background-color: #f1c232; border: 0.984375pt solid #000000;"> <p><strong>Activities</strong></p> </td> <td style="background-color: #f1c232; border: 0.984375pt solid #000000;"> <p><strong>Time</strong></p> </td> </tr> <tr> <td style="border-width: 1px; border-style: solid;"> <p><strong>Initial access</strong></p> </td> <td style="border-width: 1px; border-style: solid;"> <p>T0</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Reconnaissance</strong> / nltest, net, whoami</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 30 minutes</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Command and Control</strong> / Loading Meterpreter agent</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 4 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Privilege Escalation</strong> / Zerologon exploitation</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 4 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Command and Control</strong> / Cobalt Strike beacon execution</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 6 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Credential Theft</strong> / registry hive</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 6 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Reconnaissance</strong> / adfind, ping, curl</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 6 hours and 30 minutes</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Credential Theft and Privilege Escalation </strong>/ LSASS memory dump with procdump64.exe</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 19 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Credential Theft</strong> / NTDS.dit exfiltration with Active Directory full privilege</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 22 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Lateral Movement</strong> / Cobalt Strike socks-tunnel (RDP)</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 24 hours</p> </td> </tr> <tr> <td style="border: 1pt solid #000000;"> <p><strong>Data Exfiltration</strong> / Rclone</p> </td> <td style="border: 1pt solid #000000;"> <p>T0 + 3 days</p> </td> </tr> </tbody> </table> <p> </p> <h3><span style="color: #434343;"><span style="font-weight: normal;">Initial Access and Execution</span></span></h3> <p><span style="color: #575955;">Cybereason GSOC team observed the following distribution method to deliver the Bumblebee malware: </span></p> <ul> <li style="color: #575955;" aria-level="1"><span style="color: #575955;">A spear phishing email is received containing an archive or a link to an external source to download the archive.</span></li> <li style="color: #575955;" aria-level="1"><span style="color: #575955;">User extracts the archive and mounts the resulting ISO image.</span></li> <li style="color: #575955;" aria-level="1"><span style="color: #575955;">The content of the mounted ISO image is a LNK file executing the Bumblebee payload upon user interaction:</span></li> </ul> <p><span style="color: #575955;"><span style="font-size: 3px; color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=1922&name=image17-Aug-15-2022-07-14-40-81-PM.png" alt="image17-Aug-15-2022-07-14-40-81-PM" width="1922" loading="lazy" style="width: 1922px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=961&name=image17-Aug-15-2022-07-14-40-81-PM.png 961w, https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=1922&name=image17-Aug-15-2022-07-14-40-81-PM.png 1922w, https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=2883&name=image17-Aug-15-2022-07-14-40-81-PM.png 2883w, https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=3844&name=image17-Aug-15-2022-07-14-40-81-PM.png 3844w, https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=4805&name=image17-Aug-15-2022-07-14-40-81-PM.png 4805w, https://www.cybereason.com/hs-fs/hubfs/image17-Aug-15-2022-07-14-40-81-PM.png?width=5766&name=image17-Aug-15-2022-07-14-40-81-PM.png 5766w" sizes="(max-width: 1922px) 100vw, 1922px"></span></span><span style="color: #575955;"><span style="font-size: 16px;"></span></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Bumblebee infection flow</span></em></span></p> <p><span style="color: #575955;">Bumblebee operators host malicious websites that implement a drive-by download. To infect the system, an end-user has to first manually decompress the archive containing the ISO file, mount the file and then execute the Windows shortcut (LNK). </span></p> <p><span style="color: #575955;">The LNK file has an embedded command to run Bumblebee Dynamic-link library (DLL) using </span><a href="https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/" rel="noopener" target="_blank"><span>odbcconf.exe Living Off the Land Binary</span></a><span style="color: #575955;"> (LOLBin) and response (.rsp) file. The file </span><em><span style="color: #575955;">[Bumblebee specific name].rsp</span></em><span style="color: #575955;"> has the reference to the Bumblebee DLL:</span></p> <p><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=1159&name=image6-Aug-15-2022-07-15-35-81-PM.png" alt="image6-Aug-15-2022-07-15-35-81-PM" width="1159" loading="lazy" style="width: 1159px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=580&name=image6-Aug-15-2022-07-15-35-81-PM.png 580w, https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=1159&name=image6-Aug-15-2022-07-15-35-81-PM.png 1159w, https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=1739&name=image6-Aug-15-2022-07-15-35-81-PM.png 1739w, https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=2318&name=image6-Aug-15-2022-07-15-35-81-PM.png 2318w, https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=2898&name=image6-Aug-15-2022-07-15-35-81-PM.png 2898w, https://www.cybereason.com/hs-fs/hubfs/image6-Aug-15-2022-07-15-35-81-PM.png?width=3477&name=image6-Aug-15-2022-07-15-35-81-PM.png 3477w" sizes="(max-width: 1159px) 100vw, 1159px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Bumblebee infection steps</span></em></span></p> <p><span style="font-size: 3px; color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=1999&name=image11-Aug-15-2022-07-16-49-25-PM.png" alt="image11-Aug-15-2022-07-16-49-25-PM" width="1999" loading="lazy" style="width: 1999px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=1000&name=image11-Aug-15-2022-07-16-49-25-PM.png 1000w, https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=1999&name=image11-Aug-15-2022-07-16-49-25-PM.png 1999w, https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=2999&name=image11-Aug-15-2022-07-16-49-25-PM.png 2999w, https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=3998&name=image11-Aug-15-2022-07-16-49-25-PM.png 3998w, https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=4998&name=image11-Aug-15-2022-07-16-49-25-PM.png 4998w, https://www.cybereason.com/hs-fs/hubfs/image11-Aug-15-2022-07-16-49-25-PM.png?width=5997&name=image11-Aug-15-2022-07-16-49-25-PM.png 5997w" sizes="(max-width: 1999px) 100vw, 1999px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">An end-user interactively decompresses and executes a LNK file that Bumblebee operators distribute as seen in the Cybereason Defense Platform</span></em></span></p> <p><em><span style="color: #575955;">Odbcconf.exe</span></em><span style="color: #575955;"> loadsBumblebee DLL with the </span><a href="https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/"><span>internal name</span></a> <em><span style="color: #575955;">LdrAddx64.dll. </span></em><span style="color: #575955;">The figure below illustrates the ISO image content (</span><em><span style="color: #575955;">DLL, RSP and LNK files</span></em><span style="color: #575955;">) for Bumblebee:</span></p> <p style="text-align: center;"><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=1301&name=image15-Aug-15-2022-07-17-43-18-PM.png" alt="image15-Aug-15-2022-07-17-43-18-PM" width="1301" loading="lazy" style="width: 1301px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=651&name=image15-Aug-15-2022-07-17-43-18-PM.png 651w, https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=1301&name=image15-Aug-15-2022-07-17-43-18-PM.png 1301w, https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=1952&name=image15-Aug-15-2022-07-17-43-18-PM.png 1952w, https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=2602&name=image15-Aug-15-2022-07-17-43-18-PM.png 2602w, https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=3253&name=image15-Aug-15-2022-07-17-43-18-PM.png 3253w, https://www.cybereason.com/hs-fs/hubfs/image15-Aug-15-2022-07-17-43-18-PM.png?width=3903&name=image15-Aug-15-2022-07-17-43-18-PM.png 3903w" sizes="(max-width: 1301px) 100vw, 1301px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Content of the mounted ISO image</span></em></span></p> <p><span style="color: #575955;">Bumblebee DLL is executed using </span><em><span style="color: #575955;">odbcconf.exe -f [Bumblebee specific name].rsp</span></em><span style="color: #575955;"> in the LNK file target property. </span><em><span style="color: #575955;">[Bumblebee specific name].rsp </span></em><span style="color: #575955;">has a reference to </span><em><span style="color: #575955;">[Bumblebee specific name].dll </span></em><span style="color: #575955;">which is the Bumblebee payload</span></p> <h3 style="font-weight: normal;"><span style="color: #434343;">Foothold</span></h3> <p>After the initial infection, Bumblebee injects code into multiple processes in order to establish a strong foothold on infected endpoints. The process odbcconf.exe creates local Windows Management Instrumentation (WMI) calls to spawn new processes. </p> <p>As a result, the following two processes are spawned from <em>wmiprivse.exe</em> (Windows Management Instrumentation Provider Service) :</p> <ul> <li aria-level="1"><em>wabmig.exe</em> (Microsoft contacts import tool) with injected Meterpreter agent code (Meterpreter agent is a security product used for penetration testing and provides remote control capabilities).</li> <li aria-level="1"><em>wab.exe</em> (Microsoft address book application) with an injected Cobalt Strike beacon:</li> </ul> <p><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=1198&name=image2-Aug-15-2022-07-18-44-12-PM.png" alt="image2-Aug-15-2022-07-18-44-12-PM" width="1198" loading="lazy" style="width: 1198px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=599&name=image2-Aug-15-2022-07-18-44-12-PM.png 599w, https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=1198&name=image2-Aug-15-2022-07-18-44-12-PM.png 1198w, https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=1797&name=image2-Aug-15-2022-07-18-44-12-PM.png 1797w, https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=2396&name=image2-Aug-15-2022-07-18-44-12-PM.png 2396w, https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=2995&name=image2-Aug-15-2022-07-18-44-12-PM.png 2995w, https://www.cybereason.com/hs-fs/hubfs/image2-Aug-15-2022-07-18-44-12-PM.png?width=3594&name=image2-Aug-15-2022-07-18-44-12-PM.png 3594w" sizes="(max-width: 1198px) 100vw, 1198px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Bumblebee leveraging WMI to run wab.exe and wabmig.exe with injected floating code as seen in the Cybereason Defense Platform</span></em></span></p> <h3><span style="color: #434343; font-weight: normal;">Privilege Escalation and Cobalt Strike deployment</span></h3> <p>Bumblebee performs privilege escalation by loading an <a href="https://github.com/leitosama/SharpZeroLogon"><span>exploit for CVE-2020-1472 (Zerologon)</span></a> into <em>rundll32.exe:</em></p> <p><em><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=1122&name=image18-Aug-15-2022-07-19-35-33-PM.png" alt="image18-Aug-15-2022-07-19-35-33-PM" width="1122" loading="lazy" style="width: 1122px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=561&name=image18-Aug-15-2022-07-19-35-33-PM.png 561w, https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=1122&name=image18-Aug-15-2022-07-19-35-33-PM.png 1122w, https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=1683&name=image18-Aug-15-2022-07-19-35-33-PM.png 1683w, https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=2244&name=image18-Aug-15-2022-07-19-35-33-PM.png 2244w, https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=2805&name=image18-Aug-15-2022-07-19-35-33-PM.png 2805w, https://www.cybereason.com/hs-fs/hubfs/image18-Aug-15-2022-07-19-35-33-PM.png?width=3366&name=image18-Aug-15-2022-07-19-35-33-PM.png 3366w" sizes="(max-width: 1122px) 100vw, 1122px"></span></em></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Exploitation of CVE-2020-1472, Zerologon as seen in the Cybereason Defense Platform</span></em></span></p> <p>Bumblebee uses a User Account Control (UAC) bypass technique to deploy post exploitation tools with elevated privileges on infected machines. The method uses <a href="https://www.bleepingcomputer.com/news/security/windows-10-uac-bypass-uses-apps-and-features-utility/"><em><span>fodhelper.exe</span></em></a> which is a trusted binary, meaning Windows 10 won't show a UAC window when launched into execution:</p> <p><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=1921&name=image1-Aug-15-2022-07-20-34-00-PM.png" alt="image1-Aug-15-2022-07-20-34-00-PM" width="1921" loading="lazy" style="width: 1921px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=961&name=image1-Aug-15-2022-07-20-34-00-PM.png 961w, https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=1921&name=image1-Aug-15-2022-07-20-34-00-PM.png 1921w, https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=2882&name=image1-Aug-15-2022-07-20-34-00-PM.png 2882w, https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=3842&name=image1-Aug-15-2022-07-20-34-00-PM.png 3842w, https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=4803&name=image1-Aug-15-2022-07-20-34-00-PM.png 4803w, https://www.cybereason.com/hs-fs/hubfs/image1-Aug-15-2022-07-20-34-00-PM.png?width=5763&name=image1-Aug-15-2022-07-20-34-00-PM.png 5763w" sizes="(max-width: 1921px) 100vw, 1921px"></span><span style="color: #575955; font-size: 16px;"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">UAC bypass using fodhelper.exe and code injection into winlogon.exe as seen in the Cybereason Defense Platform</span></em></span></p> <p>Fodhelper.exe is used to run "<em>cmd.exe" /c rundll32.exe C:\ProgramData\Cisco\[Cobalt strike].dll”,</em>MainProc where<em> [Cobalt strike].dll </em>is a Cobalt Strike framework beacon and MainProc is the exported function to run.</p> <p>Cobalt Strike is an adversary simulation framework with the primary use case of assisting red team operations. However, Cobalt Strike is also actively used by malicious actors for conducting post-intrusion malicious activities. Cobalt Strike is a modular framework with an extensive set of features that are useful to malicious actors, such as command execution, process injection, and credential theft.</p> <h3 style="font-weight: normal;"><span style="color: #434343;">Credential Theft</span></h3> <p>After obtaining system privileges on the infected machine, Bumblebee performs credential theft using two methods detailed below.</p> <p>First method used is Local Security Authority Subsystem Service (LSASS) process memory dump. On Windows systems domain, local usernames and passwords are stored in the memory space of the LSASS process. Bumblebee dumps the memory of this process using procdump64.exe to access the sensitive information:</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=1349&name=image21-Aug-15-2022-07-21-22-95-PM.png" alt="image21-Aug-15-2022-07-21-22-95-PM" width="1349" loading="lazy" style="width: 1349px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=675&name=image21-Aug-15-2022-07-21-22-95-PM.png 675w, https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=1349&name=image21-Aug-15-2022-07-21-22-95-PM.png 1349w, https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=2024&name=image21-Aug-15-2022-07-21-22-95-PM.png 2024w, https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=2698&name=image21-Aug-15-2022-07-21-22-95-PM.png 2698w, https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=3373&name=image21-Aug-15-2022-07-21-22-95-PM.png 3373w, https://www.cybereason.com/hs-fs/hubfs/image21-Aug-15-2022-07-21-22-95-PM.png?width=4047&name=image21-Aug-15-2022-07-21-22-95-PM.png 4047w" sizes="(max-width: 1349px) 100vw, 1349px"></p> <p style="text-align: center;"><span style="font-size: 16px;"><em>Bumblebee dumping lsass.exe memory <span style="color: #575955;">as seen in the Cybereason Defense Platform</span></em></span></p> <p>The second method of credential theft that Bumblebee operators use is registry hive extraction using <em>reg.exe</em>:</p> <ul> <li aria-level="1"><strong>HKLM SAM: </strong>The Security Account Manager (SAM) database is where Windows stores information about user accounts.</li> <li aria-level="1"><strong>HKLM Security: </strong>Local Security Authority (LSA) stores user logins and their LSA secrets.</li> <li aria-level="1"><strong>HKLM System: </strong>Contains keys that could be used to decrypt/encrypt the LSA secret and SAM database:</li> </ul> <p><img src="https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=1213&name=image16-Aug-15-2022-07-22-47-38-PM.png" alt="image16-Aug-15-2022-07-22-47-38-PM" width="1213" loading="lazy" style="width: 1213px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=607&name=image16-Aug-15-2022-07-22-47-38-PM.png 607w, https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=1213&name=image16-Aug-15-2022-07-22-47-38-PM.png 1213w, https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=1820&name=image16-Aug-15-2022-07-22-47-38-PM.png 1820w, https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=2426&name=image16-Aug-15-2022-07-22-47-38-PM.png 2426w, https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=3033&name=image16-Aug-15-2022-07-22-47-38-PM.png 3033w, https://www.cybereason.com/hs-fs/hubfs/image16-Aug-15-2022-07-22-47-38-PM.png?width=3639&name=image16-Aug-15-2022-07-22-47-38-PM.png 3639w" sizes="(max-width: 1213px) 100vw, 1213px"></p> <p style="text-align: center;"><span style="font-size: 16px;"><em>Bumblebee extracting registry hives <span style="color: #575955;">as seen in the Cybereason Defense Platform</span></em></span></p> <p>Bumblebee operators :</p> <ul> <li aria-level="1">Obtain registry dumps </li> <li aria-level="1">Compress the data</li> <li aria-level="1">Exfiltrate it over their network tunnel:</li> </ul> <p><img src="https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=1177&name=image13-Aug-15-2022-07-24-03-49-PM.png" alt="image13-Aug-15-2022-07-24-03-49-PM" width="1177" loading="lazy" style="width: 1177px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=589&name=image13-Aug-15-2022-07-24-03-49-PM.png 589w, https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=1177&name=image13-Aug-15-2022-07-24-03-49-PM.png 1177w, https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=1766&name=image13-Aug-15-2022-07-24-03-49-PM.png 1766w, https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=2354&name=image13-Aug-15-2022-07-24-03-49-PM.png 2354w, https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=2943&name=image13-Aug-15-2022-07-24-03-49-PM.png 2943w, https://www.cybereason.com/hs-fs/hubfs/image13-Aug-15-2022-07-24-03-49-PM.png?width=3531&name=image13-Aug-15-2022-07-24-03-49-PM.png 3531w" sizes="(max-width: 1177px) 100vw, 1177px"></p> <p style="text-align: center;"><span style="font-size: 16px;"><em>Bumblebee exfiltrating dumps containing credentials <span style="color: #575955;">as seen in the Cybereason Defense Platform</span></em></span></p> <p>Bumblebee operators process retrieved credentials offline, attempting to extract cleartext passwords. The time between credentials theft and the next activity is approximately 3 hours.</p> <h3 style="font-weight: normal;"><span style="color: #434343;">Reconnaissance</span></h3> <p>After the attackers gain a foothold in the organization network, they gather information in various ways. We have observed attackers using tools such as <em>nltest</em>, <em>ping</em>, <em>netview, tasklist</em> and <em>Adfind</em> to collect wide information related to the organization. The attackers collect information such as the domain names, users, hosts and domain controllers.</p> <p><em>AdFind</em> (named “af.exe”) is a publicly available tool for querying Active Directory and has been used by multiple threat actors:</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=896&name=image9-Aug-15-2022-07-24-55-39-PM.png" alt="image9-Aug-15-2022-07-24-55-39-PM" width="896" loading="lazy" style="width: 896px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=448&name=image9-Aug-15-2022-07-24-55-39-PM.png 448w, https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=896&name=image9-Aug-15-2022-07-24-55-39-PM.png 896w, https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=1344&name=image9-Aug-15-2022-07-24-55-39-PM.png 1344w, https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=1792&name=image9-Aug-15-2022-07-24-55-39-PM.png 1792w, https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=2240&name=image9-Aug-15-2022-07-24-55-39-PM.png 2240w, https://www.cybereason.com/hs-fs/hubfs/image9-Aug-15-2022-07-24-55-39-PM.png?width=2688&name=image9-Aug-15-2022-07-24-55-39-PM.png 2688w" sizes="(max-width: 896px) 100vw, 896px"></p> <p style="text-align: center;"><span style="font-size: 16px;"><em>Bumblebee executed multiple reconnaissance commands <span style="color: #575955;">as seen in the Cybereason Defense Platform</span></em></span></p> <p>During the reconnaissance phase, Bumblebee operators contacted more than 200 IP addresses and domain names within the organization. The most notable ones are Microsoft Exchange, Windows Server Update Services (WSUS) servers.</p> <p>The following table summarizes the reconnaissance commands observed by Cybereason GSOC analysts:</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <tbody> <tr> <td style="background-color: #f1c232; border: 0.75pt solid #000000;"> <p style="text-align: center;"><strong>Command</strong></p> </td> <td style="background-color: #f1c232; border: 0.75pt solid #000000;"> <p style="text-align: center;"><strong>Description</strong></p> </td> </tr> <tr> <td style="border-width: 1px; border-style: solid;"> <p><em>nltest /domain_trusts</em></p> </td> <td style="border-width: 1px; border-style: solid;"> <p>Enumerates trust relationships in a Windows Active Directory (AD) environment.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #4a4a4a;"> <p><em>nltest /dclist:</em></p> </td> <td style="border: 0.75pt solid #4a4a4a;"> <p>Enumerates all domain controllers in the domain.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #4a4a4a;"> <p><em>af.exe -f "(objectcategory=person)" > ad_users.txt</em></p> </td> <td style="border: 0.75pt solid #4a4a4a;"> <p>Enumerates all user objects in Active Directory and stores the output in a file.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #4a4a4a;"> <p><em>af.exe -f "objectcategory=computer" > ad_computers.txt</em></p> </td> <td style="border: 0.75pt solid #4a4a4a;"> <p>Enumerates all computer objects in Active Directory and stores the output in a file.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #4a4a4a;"> <p><em>whoami /all</em></p> </td> <td style="border: 0.75pt solid #4a4a4a;"> <p>Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #4a4a4a;"> <p><em>curl ifconfig[.]me</em></p> </td> <td style="border: 0.75pt solid #4a4a4a;"> <p>Retrieves the publicly visible IP address of the machine using an external service.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #4a4a4a;"> <p><em>ping {hostname} -n 1</em></p> </td> <td style="border: 0.75pt solid #4a4a4a;"> <p>Enumerates live hosts.</p> </td> </tr> <tr> <td style="border-width: 1px; border-style: solid;"> <p><em>Tasklist /s {IP address}</em></p> </td> <td style="border-width: 1px; border-style: solid;"> <p>Enumerates a list of processes on a specific host.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #000000;"> <p><em>net user {username} /domain</em></p> </td> <td style="border: 0.75pt solid #000000;"> <p>Switch forces the net user to execute on the current domain controller instead of on the local computer.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #000000;"> <p><em>net group "domain admins" /domain</em></p> </td> <td style="border: 0.75pt solid #000000;"> <p>Enumerates users that are members of the domain admins group such that the designated Domain Controller (DC) is conducting the enumeration activity.</p> </td> </tr> <tr> <td style="border: 0.75pt solid #000000;"> <p><em>net view \\{IP address} /all</em></p> </td> <td style="border: 0.75pt solid #000000;"> <p>Enumerates all shared computers and resources on a specific system.</p> </td> </tr> </tbody> </table> <p style="font-weight: normal;"> </p> <h3 style="font-weight: normal;"><span style="color: #434343;">Lateral Movement</span></h3> <p>Bumblebee uses a Cobalt Strike agent for lateral movement. We can see multiple connections from the process to internal addresses on Remote Desktop Protocol (RDP), on TCP port 3389:</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=1202&name=image5-Aug-15-2022-07-25-42-84-PM.png" alt="image5-Aug-15-2022-07-25-42-84-PM" width="1202" loading="lazy" style="width: 1202px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=601&name=image5-Aug-15-2022-07-25-42-84-PM.png 601w, https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=1202&name=image5-Aug-15-2022-07-25-42-84-PM.png 1202w, https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=1803&name=image5-Aug-15-2022-07-25-42-84-PM.png 1803w, https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=2404&name=image5-Aug-15-2022-07-25-42-84-PM.png 2404w, https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=3005&name=image5-Aug-15-2022-07-25-42-84-PM.png 3005w, https://www.cybereason.com/hs-fs/hubfs/image5-Aug-15-2022-07-25-42-84-PM.png?width=3606&name=image5-Aug-15-2022-07-25-42-84-PM.png 3606w" sizes="(max-width: 1202px) 100vw, 1202px"></p> <p style="text-align: center;"><span style="font-size: 16px;"><em>Bumblebee lateral movement from Cobalt Strike agent <span style="color: #575955;">as seen in the Cybereason Defense Platform</span></em></span></p> <p>Following the lateral movement, the attacker persists on the organization network using the remote management software “any desk”:</p> <p><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=1142&name=image4-Aug-15-2022-07-26-15-14-PM.png" alt="image4-Aug-15-2022-07-26-15-14-PM" width="1142" loading="lazy" style="width: 1142px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=571&name=image4-Aug-15-2022-07-26-15-14-PM.png 571w, https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=1142&name=image4-Aug-15-2022-07-26-15-14-PM.png 1142w, https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=1713&name=image4-Aug-15-2022-07-26-15-14-PM.png 1713w, https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=2284&name=image4-Aug-15-2022-07-26-15-14-PM.png 2284w, https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=2855&name=image4-Aug-15-2022-07-26-15-14-PM.png 2855w, https://www.cybereason.com/hs-fs/hubfs/image4-Aug-15-2022-07-26-15-14-PM.png?width=3426&name=image4-Aug-15-2022-07-26-15-14-PM.png 3426w" sizes="(max-width: 1142px) 100vw, 1142px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Bumblebee operators using Anydesk for lateral movement as seen in the Cybereason Defense Platform</span></em></span></p> <h3 style="font-weight: normal;"><span style="color: #434343;">Active Directory Compromise</span></h3> <p>After the attacker obtains a highly privileged user and its password, the attacker accesses the shadow copy. Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes. </p> <p>Bumblebee accesses the remote Active Directory machines using Windows Management Instrumentation command-line utility (WMIC) and creates a shadow copy using <em>vssadmin</em> command. In addition, the attacker steals the <em>ntds.dit</em> file from the domain controller. </p> <p>The <em>ntds.dit</em> file is a database that stores Active Directory data, including information about user objects, groups and group membership. The file also stores the password hashes for all users in the domain:</p> <p><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=1158&name=image8-Aug-15-2022-07-27-06-10-PM.png" alt="image8-Aug-15-2022-07-27-06-10-PM" width="1158" loading="lazy" style="width: 1158px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=579&name=image8-Aug-15-2022-07-27-06-10-PM.png 579w, https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=1158&name=image8-Aug-15-2022-07-27-06-10-PM.png 1158w, https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=1737&name=image8-Aug-15-2022-07-27-06-10-PM.png 1737w, https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=2316&name=image8-Aug-15-2022-07-27-06-10-PM.png 2316w, https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=2895&name=image8-Aug-15-2022-07-27-06-10-PM.png 2895w, https://www.cybereason.com/hs-fs/hubfs/image8-Aug-15-2022-07-27-06-10-PM.png?width=3474&name=image8-Aug-15-2022-07-27-06-10-PM.png 3474w" sizes="(max-width: 1158px) 100vw, 1158px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">Bumblebee creates shadow copies on remote Active Directory server and exfiltrates Ntds.dit as seen in the Cybereason Defense Platform</span></em></span></p> <p>The following are the commands related to credential theft used to escalate privileges on the Active Directory:</p> <ul> <li aria-level="1"><strong><em>wmic</em></strong><em> /node:"[Active Directory IP address]" /user:"[Compromised user name]" /password:"[Compromised user password]" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"</em></li> </ul> <ul> <li aria-level="1"><strong><em>wmic</em></strong><em> /node:"[Active Directory IP address]" /user:"[Compromised user name]" /password:"[Compromised user password]" process call create "cmd /c vssadmin list shadows >> c:\log.txt"</em></li> </ul> <ul> <li aria-level="1"><strong><em>type</em></strong><em> \\[Active Directory IP address]\c$\log.txt</em></li> </ul> <ul> <li aria-level="1"><strong><em>wmic</em></strong><em> /node:"[Active Directory IP address]" /user:"[Compromised user name]" /password:"[Compromised user password]" process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy635\Windows\NTDS\NTDS.dit c:\ProgramData\nt & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy635\Windows\System32\config\SYSTEM c:\ProgramData\nt & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy635\Windows\System32\config\SECURITY c:\ProgramData\nt"</em></li> </ul> <ul> <li aria-level="1"><strong><em>7za.exe</em></strong><em> a -mx3 nt.7z \\[Active Directory IP address]\c$\ProgramData\nt</em></li> </ul> <p>In order to obtain maximum privileges on the Active Directory domain, the threat actor: </p> <ul> <li aria-level="1">Creates a shadow copy of the machine file’s volume</li> <li aria-level="1">Lists all available shadow copies and stored the result in a file.</li> <li aria-level="1">Copies the Active Directory database (ntds.dit) as well as registry hives containing credentials and sensitive data from the shadow copy. </li> <li aria-level="1">Compress the output directory for exfiltration. </li> </ul> <h3 style="font-weight: normal;"><span style="color: #434343;">Account Creation and Data Exfiltration</span></h3> <p>The threat actor uses a domain administrator account obtained previously to move laterally on multiple systems. After initial connection, they create a local user and exfiltrate data using Rclone software.</p> <p>User creation commands are as follows :</p> <ul> <li aria-level="1">net user [Attacker created username] P@ssw0rd!1 /add</li> <li aria-level="1">net localgroup Administrators [Attacker created username] /add</li> </ul> <p style="text-align: center;"><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=1201&name=image10-Aug-15-2022-07-28-45-50-PM.png" alt="image10-Aug-15-2022-07-28-45-50-PM" width="1201" loading="lazy" style="width: 1201px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=601&name=image10-Aug-15-2022-07-28-45-50-PM.png 601w, https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=1201&name=image10-Aug-15-2022-07-28-45-50-PM.png 1201w, https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=1802&name=image10-Aug-15-2022-07-28-45-50-PM.png 1802w, https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=2402&name=image10-Aug-15-2022-07-28-45-50-PM.png 2402w, https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=3003&name=image10-Aug-15-2022-07-28-45-50-PM.png 3003w, https://www.cybereason.com/hs-fs/hubfs/image10-Aug-15-2022-07-28-45-50-PM.png?width=3603&name=image10-Aug-15-2022-07-28-45-50-PM.png 3603w" sizes="(max-width: 1201px) 100vw, 1201px"></span><span style="color: #575955; font-size: 16px;"><em>Creation of a local user and exfiltration of data using rclone.exe </em><em>as seen in the Cybereason Defense Platform</em></span></p> <p>The rclone.exe process transfers approximately 50 GB of data to an endpoint with an IP address over TCP port 22 (SSH), which is located in the United States.</p> <h2>Detection and Prevention</h2> <h3 style="font-weight: normal;"><span style="color: #434343;">Cybereason Defense Platform</span></h3> <p>The<a href="/platform" rel="noopener" target="_blank"><span> Cybereason Defense Platform</span></a> is able to detect and prevent infections with Bumblebee and post exploitation activities, using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and Next-Gen Antivirus (NGAV) capabilities:</p> <p><span style="font-size: 3px; color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=459&name=image3-Aug-15-2022-07-29-34-00-PM.png" alt="image3-Aug-15-2022-07-29-34-00-PM" width="459" loading="lazy" style="width: 459px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=230&name=image3-Aug-15-2022-07-29-34-00-PM.png 230w, https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=459&name=image3-Aug-15-2022-07-29-34-00-PM.png 459w, https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=689&name=image3-Aug-15-2022-07-29-34-00-PM.png 689w, https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=918&name=image3-Aug-15-2022-07-29-34-00-PM.png 918w, https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=1148&name=image3-Aug-15-2022-07-29-34-00-PM.png 1148w, https://www.cybereason.com/hs-fs/hubfs/image3-Aug-15-2022-07-29-34-00-PM.png?width=1377&name=image3-Aug-15-2022-07-29-34-00-PM.png 1377w" sizes="(max-width: 459px) 100vw, 459px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">The Cybereason Defense Platform labels as suspicious the execution of a malicious Bumblebee DLL script using odbcconf.exe</span></em></span></p> <p><span style="font-size: 16px; color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=1134&name=image7-Aug-15-2022-07-30-20-12-PM.png" alt="image7-Aug-15-2022-07-30-20-12-PM" width="1134" loading="lazy" style="width: 1134px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=567&name=image7-Aug-15-2022-07-30-20-12-PM.png 567w, https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=1134&name=image7-Aug-15-2022-07-30-20-12-PM.png 1134w, https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=1701&name=image7-Aug-15-2022-07-30-20-12-PM.png 1701w, https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=2268&name=image7-Aug-15-2022-07-30-20-12-PM.png 2268w, https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=2835&name=image7-Aug-15-2022-07-30-20-12-PM.png 2835w, https://www.cybereason.com/hs-fs/hubfs/image7-Aug-15-2022-07-30-20-12-PM.png?width=3402&name=image7-Aug-15-2022-07-30-20-12-PM.png 3402w" sizes="(max-width: 1134px) 100vw, 1134px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">The Cybereason Defense Platform detects the credential theft with both reg.exe and procdump64.exe</span></em></span></p> <p><span style="font-size: 16px; color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=1699&name=image14-Aug-15-2022-07-31-46-08-PM.png" alt="image14-Aug-15-2022-07-31-46-08-PM" width="1699" loading="lazy" style="width: 1699px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=850&name=image14-Aug-15-2022-07-31-46-08-PM.png 850w, https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=1699&name=image14-Aug-15-2022-07-31-46-08-PM.png 1699w, https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=2549&name=image14-Aug-15-2022-07-31-46-08-PM.png 2549w, https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=3398&name=image14-Aug-15-2022-07-31-46-08-PM.png 3398w, https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=4248&name=image14-Aug-15-2022-07-31-46-08-PM.png 4248w, https://www.cybereason.com/hs-fs/hubfs/image14-Aug-15-2022-07-31-46-08-PM.png?width=5097&name=image14-Aug-15-2022-07-31-46-08-PM.png 5097w" sizes="(max-width: 1699px) 100vw, 1699px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">The Cybereason Defense Platform detects data exfiltration activities</span></em></span></p> <p><span style="color: #575955;"><img src="https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=1360&name=image20-Aug-15-2022-07-33-11-94-PM.png" alt="image20-Aug-15-2022-07-33-11-94-PM" width="1360" loading="lazy" style="width: 1360px; margin-left: auto; margin-right: auto; display: block;" srcset="https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=680&name=image20-Aug-15-2022-07-33-11-94-PM.png 680w, https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=1360&name=image20-Aug-15-2022-07-33-11-94-PM.png 1360w, https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=2040&name=image20-Aug-15-2022-07-33-11-94-PM.png 2040w, https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=2720&name=image20-Aug-15-2022-07-33-11-94-PM.png 2720w, https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=3400&name=image20-Aug-15-2022-07-33-11-94-PM.png 3400w, https://www.cybereason.com/hs-fs/hubfs/image20-Aug-15-2022-07-33-11-94-PM.png?width=4080&name=image20-Aug-15-2022-07-33-11-94-PM.png 4080w" sizes="(max-width: 1360px) 100vw, 1360px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #575955;">The Cybereason Defense Platform detects a Meterpreter agent</span></em></span></p> <h2>Cybereason GSOC MDR</h2> <p>The Cybereason GSOC recommends the following:</p> <ul> <li aria-level="1">Enable the Anti-Malware feature on the Cybereason NGAV and enable the<a href="https://nest.cybereason.com/documentation/product-documentation/190/anti-malware-settings" rel="noopener" target="_blank"><span> Detect and Prevent modes</span></a> of this feature.</li> <li aria-level="1">Securely handle files downloaded from the Internet and email messages that originate from external sources.</li> <li aria-level="1">Regularly backup files to a secured remote location and implement a data recovery plan. Regular data backups ensure that you can restore your data after a ransomware attack.</li> <li aria-level="1">Use secure passwords, regularly rotate passwords, and use multi-factor authentication where possible.</li> <li aria-level="1">Follow <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory" rel="noopener" target="_blank"><span>Best Practices for Securing Active Directory</span></a> provided by Microsoft.</li> <li aria-level="1">To hunt for infections with Bumblebee proactively, use the Investigation screen in the Cybereason Defense Platform and the query in the <span>Hunting Queries</span> section to search for machines that are potentially infected with this malware. Based on the search results, take further remediation actions such as isolating the infected machines.</li> </ul> <p>Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. <a href="/request-a-demo" rel="noopener" target="_blank"><span>Schedule a demo today</span></a> to learn how your organization can benefit from an <a href="/blog/the-cybereason-malop-achieving-operation-centric-security" rel="noopener" target="_blank"><span>operation-centric approach to security</span></a>.</p> <h2>MITRE ATT&CK Mapping</h2> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2; height: 1719.38px; width: 728px;"> <tbody> <tr style="height: 49.2773px;"> <td style="background-color: #f1c232; border: 0.984375pt solid #000000; height: 49px; width: 212.188px;"> <p><strong>Tactic</strong></p> </td> <td style="background-color: #f1c232; border: 0.984375pt solid #000000; height: 49px; width: 514.473px;"> <p><strong>Technique or Sub-technique</strong></p> </td> </tr> <tr style="height: 56.9922px;"> <td style="height: 57px; width: 212.188px; border-width: 1px; border-style: solid;"> <p><a href="https://attack.mitre.org/tactics/TA0001/" rel="noopener" target="_blank"><span>TA0001</span></a>: Initial Access</p> </td> <td style="height: 57px; width: 514.473px; border-width: 1px; border-style: solid;"> <p><a href="https://attack.mitre.org/techniques/T1189/" rel="noopener" target="_blank"><span>T1189</span></a>: Drive-by Compromise</p> </td> </tr> <tr style="height: 56.9922px;"> <td style="border: 1pt solid #000000; height: 57px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0001/" rel="noopener" target="_blank"><span>TA0001</span></a>: Initial Access</p> </td> <td style="border: 1pt solid #000000; height: 57px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1566/002/" rel="noopener" target="_blank"><span>T1566.002</span></a>: Phishing: Spear phishing Link</p> </td> </tr> <tr style="height: 56.9922px;"> <td style="border: 1pt solid #000000; height: 57px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0001/" rel="noopener" target="_blank"><span>TA0001</span></a>: Initial Access</p> </td> <td style="border: 1pt solid #000000; height: 57px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span>T1078:</span></a> Valid Accounts</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0002/" rel="noopener" target="_blank"><span>TA0002</span></a>: Execution</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1204/001/" rel="noopener" target="_blank"><span>T1204.001</span></a>: User Execution: Malicious Link</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0002/" rel="noopener" target="_blank"><span>TA0002</span></a>: Execution</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1204/002/" rel="noopener" target="_blank"><span>T1204.002</span></a>: User Execution: Malicious File</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0002/" rel="noopener" target="_blank"><span>TA0002</span></a>: Execution</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1059/003/" rel="noopener" target="_blank"><span>T1059.003</span></a>: Command and Scripting Interpreter: Windows Command Shell</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0002/" rel="noopener" target="_blank"><span>TA0002</span></a>: Execution</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1047/" rel="noopener" target="_blank"><span>T1047</span></a>: Windows Management Instrumentation</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0004/" rel="noopener" target="_blank"><span>TA0004:</span></a> Privilege Escalation</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1548/002/" rel="noopener" target="_blank"><span>T1548.002</span></a>: Abuse Elevation Control Mechanism: Bypass User Account Control</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0004/" rel="noopener" target="_blank"><span>TA0004:</span></a> Privilege Escalation</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1068/" rel="noopener" target="_blank"><span>T1068:</span></a> Exploitation for Privilege Escalation</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0005/" rel="noopener" target="_blank"><span>TA0005</span></a>: Defense Evasion</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1036/005/" rel="noopener" target="_blank"><span>T1036.005</span></a>: Masquerading: Match Legitimate Name or Location</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0005/" rel="noopener" target="_blank"><span>TA0005</span></a>: Defense Evasion</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1055/" rel="noopener"><span>T1055</span></a>: Process Injection</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0005/" rel="noopener" target="_blank"><span>TA0005</span></a>: Defense Evasion</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1218/008/" rel="noopener" target="_blank"><span>T1218.008:</span></a> System Binary Proxy Execution: Odbcconf</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0005/" rel="noopener" target="_blank"><span>TA0005</span></a>: Defense Evasion</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1218/011/" rel="noopener" target="_blank"><span>T1218.011</span></a>: Signed Binary Proxy Execution: Rundll32</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0005/" rel="noopener" target="_blank"><span>TA0005</span></a>: Defense Evasion</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1620/" rel="noopener" target="_blank"><span>T1620</span></a>: Reflective Code Loading</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0006/" rel="noopener" target="_blank"><span>TA0006:</span></a> Credential Access</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1003/001/" rel="noopener" target="_blank"><span>T1003.001:</span></a> OS Credential Dumping: LSASS Memory</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0006/" rel="noopener" target="_blank"><span>TA0006:</span></a> Credential Access</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1003/002/" rel="noopener" target="_blank"><span>T1003.002:</span></a> OS Credential Dumping: Security Account Manager</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0006/" rel="noopener" target="_blank"><span>TA0006:</span></a> Credential Access</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1003/003/" rel="noopener" target="_blank"><span>T1003.003:</span></a> OS Credential Dumping: NTDS</p> </td> </tr> <tr style="height: 77.3047px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0006/" rel="noopener" target="_blank"><span>TA0006:</span></a> Credential Access</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1003/004/" rel="noopener" target="_blank"><span>T1003.004:</span></a> OS Credential Dumping: LSA Secrets</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0007/" rel="noopener"><span>TA0007</span></a>: Discovery</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1018/" rel="noopener" target="_blank"><span>T1018</span></a>: Remote System Discovery</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0007/" rel="noopener"><span>TA0007</span></a>: Discovery</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1033/" rel="noopener" target="_blank"><span>T1033</span></a>: System Owner/User Discovery</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0007/" rel="noopener" target="_blank"><span>TA0007</span></a>: Discovery</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1057/" rel="noopener" target="_blank"><span>T1057</span></a>: Process Discovery</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0007/" rel="noopener" target="_blank"><span>TA0007</span></a>: Discovery</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1082/" rel="noopener" target="_blank"><span>T1082</span></a>: System Information Discovery</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0007/" rel="noopener" target="_blank"><span>TA0007</span></a>: Discovery</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1087/" rel="noopener" target="_blank"><span>T1087</span></a>: Account Discovery</p> </td> </tr> <tr style="height: 76.9922px;"> <td style="border: 1pt solid #000000; height: 77px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0009/" rel="noopener" target="_blank"><span>TA0009</span></a>: Collection</p> </td> <td style="border: 1pt solid #000000; height: 77px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1560/001/" rel="noopener" target="_blank"><span>T1560.001</span></a>: Archive Collected Data: Archive via Utility</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0009/" rel="noopener" target="_blank"><span>TA0009</span></a>: Collection</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1039/" rel="noopener" target="_blank"><span>T1039</span></a>: Data from Network Shared Drive</p> </td> </tr> <tr style="height: 49.3164px;"> <td style="border: 1pt solid #000000; height: 49px; width: 212.188px;"> <p><a href="https://attack.mitre.org/tactics/TA0010/" rel="noopener" target="_blank"><span>TA0010</span></a>: Exfiltration</p> </td> <td style="border: 1pt solid #000000; height: 49px; width: 514.473px;"> <p><a href="https://attack.mitre.org/techniques/T1048/" rel="noopener" target="_blank"><span>T1048</span></a>: Exfiltration Over Alternative Protocol</p> </td> </tr> </tbody> </table> <p> </p> <h2>Indicators of Compromise</h2> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <tbody> <tr> <td style="background-color: #f1c232;"> <p><strong><span style="color: #575955;">IOC type</span></strong></p> </td> <td style="background-color: #f1c232;"> <p><strong><span style="color: #575955;">IOC values</span></strong></p> </td> </tr> <tr> <td style="border: 0.99609pt solid #000000;"> <p><strong><span style="color: #575955;">Executables</span></strong></p> </td> <td style="border: 0.99609pt solid #000000;"> <p><span style="color: #575955;">SHA-1 hash: af.exe (AdFind) - </span><strong><span style="color: #575955;">known publicly</span></strong></p> <ul> <li style="color: #575955;" aria-level="1"><em><span style="color: #575955;">4acc9ddf7f23109216ca22801ac75c8fabb97019</span></em></li> </ul> </td> </tr> <tr> <td style="border: 0.99609pt solid #000000;"> <p><strong><span style="color: #575955;">IP addresses</span></strong></p> </td> <td style="border: 0.99609pt solid #000000;"> <p><span style="color: #3c4043;">C2 server</span><span style="color: #575955;">: </span></p> <ul> <li style="color: #575955;" aria-level="1"><em><span style="color: #575955;">185.62.56[.]129 (</span></em><strong><em><span style="color: #575955;">known publicly</span></em></strong><em><span style="color: #575955;">, affiliated with Bumblebee)</span></em></li> </ul> </td> </tr> </tbody> </table> <p> </p> <h2>About the Researchers</h2> <p><strong><img src="https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=159&name=image12-2.jpg" alt="image12-2" width="159" loading="lazy" style="width: 159px; float: left; margin: 0px 7px 1px 0px;" srcset="https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=80&name=image12-2.jpg 80w, https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=159&name=image12-2.jpg 159w, https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=239&name=image12-2.jpg 239w, https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=318&name=image12-2.jpg 318w, https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=398&name=image12-2.jpg 398w, https://www.cybereason.com/hs-fs/hubfs/image12-2.jpg?width=477&name=image12-2.jpg 477w" sizes="(max-width: 159px) 100vw, 159px">Meroujan Antonyan, Senior Security Analyst, Cybereason Global SOC </strong></p> <p>Meroujan Antonyan is a Senior Security Analyst with the Cybereason Global SOC team. Meroujan hunts for emerging threats and analyzes incidents in order to improve hunting techniques and procedures. He contributes in automation and interconnection of various cybersecurity projects to collect and leverage threat intelligence and bring value from security events. Meroujan has Digital Forensics & Incident Response experience and is interested in low level malware development, oriented towards improving security solutions capabilities.</p> <p> </p> <p><strong><img src="https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=152&name=image19-1.jpg" alt="image19-1" width="152" loading="lazy" style="width: 152px; float: left; margin: 0px 7px 1px 0px;" srcset="https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=76&name=image19-1.jpg 76w, https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=152&name=image19-1.jpg 152w, https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=228&name=image19-1.jpg 228w, https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=304&name=image19-1.jpg 304w, https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=380&name=image19-1.jpg 380w, https://www.cybereason.com/hs-fs/hubfs/image19-1.jpg?width=456&name=image19-1.jpg 456w" sizes="(max-width: 152px) 100vw, 152px">Alon Laufer, Security Analyst, Cybereason Global SOC </strong></p> <p>Alon Laufer is a Security Analyst with the Cybereason Global SOC team. Alon analyses critical incidents. He began his career in the Israeli Air Force where he was responsible for protecting critical infrastructures. Alon is interested in malware analysis, digital forensics, and incident response.</p> <p> </p></span>    <div class="cr-blog-post__social-sharing"> <span>Share</span> <div id="hs_cos_wrapper_module_161724375084957" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-social_sharing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_social_sharing" data-hs-cos-general-type="widget" data-hs-cos-type="social_sharing"> <a href="https://twitter.com/intent/tweet?original_referer=https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control&utm_medium=social&utm_source=twitter&url=https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control&utm_medium=social&utm_source=twitter&source=tweetbutton&text=" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/twitter-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on twitter"> </a> <a href="http://www.facebook.com/share.php?u=https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control&utm_medium=social&utm_source=facebook" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/facebook-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on facebook"> </a> <a href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control&utm_medium=social&utm_source=linkedin" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/linkedin-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on linkedin"> </a> </div></div> </div>  <div class="container columns cr-mln__author-listing-single"> <div class="column headshot is-3-full-hd is-3-desktop is-3-tablet is-12-mobile"> <img class="cr-speaker-headshot" src="https://www.cybereason.com/hubfs/Capture-4.png" alt="Cybereason Global SOC Team"> </div> <div class="column is-9-full-hd is-9-desktop is-12-mobile"> <span class="descriptor">About the Author</span> <h4>Cybereason Global SOC Team</h4> <p>The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.</p> <a class="cr-button cr-button__min" href="https://www.cybereason.com/blog/authors/cybereason-global-soc-team">All Posts by Cybereason Global SOC Team</a> </div> </div>       <div id="hs_cos_wrapper_module_1649342860525315" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update"><img src="https://www.cybereason.com/hubfs/blog-post-text%20%28125%29.png" alt="THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update"></a> <h4><a href="https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update"><span class="underline">THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update</span></a></h4> <p>First observed in June 2022 in the wild, HavanaCrypt Ransomware masquerades as a legitimate Google Chrome update with sophisticated anti-analysis techniques and other functionality that may be used for data exfiltration and privilege escalation...</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/webinar-july-14th-2022-ransomware-labs"><img src="https://www.cybereason.com/hubfs/blog-post-text%20-%202022-06-27T074703.175.png" alt="Webinar July 14th 2022: Ransomware Labs"></a> <h4><a href="https://www.cybereason.com/blog/webinar-july-14th-2022-ransomware-labs"><span class="underline">Webinar July 14th 2022: Ransomware Labs</span></a></h4> <p>With the new Cybereason Ransomware Range experience, you will have the chance to witness first-hand the RansomOps techniques employed by threat groups from initial intrusion, lateral movement, privilege escalation to full network compromise. Most importantly, you’ll see where and how these operations can be predicted, detected, and stopped dead in their tracks...</p> </div> </div> </div> </div> </section></div> </div>  <div class="column is-3-fullhd is-3-desktop is-12-mobile cr-malicious-life-network__sidebar"> <div class="cr-ml-sidebar--group"> <div class="top-stripe"></div> <div class="sidebar-block search-section"> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search"> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> <div class="sidebar-block subscribe"> <a href="#blog-subscribe"> <h4>Subscribe</h4> <span>Never miss a blog.</span> </a> </div> <div class="sidebar-block recent-posts"> <h4>Recent Posts</h4> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/bec-security-configuration-snapshot" class="post-name"><span class="underline">Enhancing Business Email Compromise Incident Response: New Email & Cloud Security Configuration Snapshot</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/rsa-2025-key-submissions-trends" class="post-name"><span class="underline">RSAC 2025 - Key Trends from 100s of ‘Hackers & Threats’ Talk Submissions</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader" class="post-name"><span class="underline">Phorpiex - Downloader Delivering Ransomware</span></a> </div> </div> </div> <div class="sidebar-block category-listing"> <h4>Categories</h4> <ul> <li><a href="https://www.cybereason.com/blog/category/research">Research</a></li> <li><a href="https://www.cybereason.com/blog/category/podcasts">Podcasts</a></li> <li><a href="https://www.cybereason.com/blog/category/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/blog/category/resources">Resources</a></li> <li><a href="https://www.cybereason.com/blog/category/videos">Videos</a></li> <li><a href="https://www.cybereason.com/blog/category/news">News</a></li> </ul> <a class="rec-category__single--view-all" href="/blog/category/research">All Posts</a> </div> </div> </div> </div> </div> </div></div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="display: none;" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1616011887658867" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update"><img src="https://www.cybereason.com/hubfs/blog-post-text%20%28125%29.png" alt="THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update"></a> <h4><a href="https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update"><span class="underline">THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update</span></a></h4> <p>First observed in June 2022 in the wild, HavanaCrypt Ransomware masquerades as a legitimate Google Chrome update with sophisticated anti-analysis techniques and other functionality that may be used for data exfiltration and privilege escalation...</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/webinar-july-14th-2022-ransomware-labs"><img src="https://www.cybereason.com/hubfs/blog-post-text%20-%202022-06-27T074703.175.png" alt="Webinar July 14th 2022: Ransomware Labs"></a> <h4><a href="https://www.cybereason.com/blog/webinar-july-14th-2022-ransomware-labs"><span class="underline">Webinar July 14th 2022: Ransomware Labs</span></a></h4> <p>With the new Cybereason Ransomware Range experience, you will have the chance to witness first-hand the RansomOps techniques employed by threat groups from initial intrusion, lateral movement, privilege escalation to full network compromise. Most importantly, you’ll see where and how these operations can be predicted, detected, and stopped dead in their tracks...</p> </div> </div> </div> </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-3 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_161767462015235" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-mln__blog-listing-page__subscribe-footer"> <div class="container container-is-blog columns page-center"> <div class="column is-8-fullhd is-8-desktop is-10-tablet is-12-mobile"> <span class="tag">NEWSLETTER</span> <h3>Never miss a blog</h3> <p>Get the latest research, expert insights, and security industry news.</p> <a class="cr-button cr-mln__subscribe" href="#blog-subscribe">Subscribe</a> </div>  </div> </div></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-4 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_166508001252918" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-sticky-cta-bar bg-black" id="sticky-bar"> <div class="content"> <span>Want to see the Cybereason Defense Platform in action?</span> <a class="cr-button cr-button__fill-yellow" href="https://www.cybereason.com/request-a-demo" target="_blank">Schedule a Demo</a> </div> <div class="close">X</div> </div></div> </div> </div> </div> </div> </div> <div class="footer-container-wrapper"> <div class="footer-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_16036762394194314" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <footer class="cr-section cr-footer cr-footer__full"> <div class="container page-center"> <div class="columns"> <div class="column is-6-fullhd is-5-desktop cr-footer__col cr-footer__left"> <div class="cr-footer__Left-logo"> <a href="https://www.cybereason.com"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-white.png"> </a> </div> </div> <div class="columns column is-6-fullhd is-6-desktop cr-footer__col cr-footer__right"> <div class="cr-footer__links-list column"> <h4>About</h4> <ul> <li><a href="https://www.cybereason.com/company/who-we-are">Who We Are</a> </li><li><a href="https://www.cybereason.com/company/careers">Careers</a>  </li><li><a href="https://www.cybereason.com/company/contact-us">Contact</a> </li></ul> </div> <div class="cr-footer__links-list column"> <h4>Resources</h4> <ul> <li><a href="https://www.cybereason.com/blog">Blog</a></li> <li><a href="https://www.cybereason.com/resources/tag/case-study">Case Studies</a></li> <li><a href="https://www.cybereason.com/resources/tag/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/resources/tag/white-papers">White Papers</a></li> </ul> </div> <div class="cr-footer__links-list column"> <h4>Platform</h4> <ul> <li><a href="https://www.cybereason.com/platform">Overview</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-prevention">Endpoint Protection</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-detection-response-edr">EDR</a></li> <li><a href="https://www.cybereason.com/platform/managed-detection-response-mdr">MDR</a></li> </ul> </div> </div> </div> </div> <div class="container page-center"> <div class="columns cr-footer__bottom-bar"> <div class="column"> <p>©Cybereason 2025. All Rights Reserved.</p> </div> <div class="column bottom-bar__links"> <ul> <li><a href="https://www.cybereason.com/terms-of-use">Terms of Use</a></li> <li><a href="https://www.cybereason.com/privacy-notice">Privacy Notice</a></li> <li><a href="https://www.cybereason.com/ccpa-privacy-request">Do Not Sell</a></li> <li><a href="https://www.cybereason.com/security">Security</a></li>  </ul> </div> <div class="column bottom-bar__social"> <ul> <li><a class="facebook" href="https://www.facebook.com/Cybereason/"></a></li> <li><a class="twitter" href="https://twitter.com/cybereason"></a></li> <li><a class="youtube" href="https://www.youtube.com/channel/UCOm7AaB0HiNH4Phe66sK0Ew"></a></li> <li><a class="linkedin" href="https://www.linkedin.com/company/cybereason"></a></li> <li><a class="instagram" href="https://www.instagram.com/cybereason"></a></li> </ul> </div> </div> </div> </footer></div> </div> </div> </div> </div> </div>  <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507089303/1644440411417/__CR_Web_Platform/JS/animatedModal/animatedModal.min.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386128/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443113/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042213858/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/86933076631/1669911113440/module_86933076631_CR_-_Sticky_CTA_Bar.min.js"></script>  <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.cybereason.com\/blog\/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control"]); _hsq.push(["setPageId", "82045466995"]); _hsq.push(["setContentMetadata", { "contentPageId": 82045466995, "legacyPageId": "82045466995", "contentFolderId": null, "contentGroupId": 5272851739, "abTestId": null, "languageVariantId": 82045466995, "languageCode": "en", }]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/3354902.js"></script>  <script type="text/javascript"> var hsVars = { render_id: "dc30805d-c310-4707-81ef-62da5bd0c07f", ticks: 1740088478351, page_id: 82045466995, content_group_id: 5272851739, portal_id: 3354902, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "82045466995", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.393/js/index.js"></script> <script>if ($('[id^="hs_form"]').length > 0) { var myInterval = setInterval( function() { var myFields = document.getElementsByClassName('hs-input'); if (myFields.length > 0) { clearInterval(myInterval); for (var i = 0; i < myFields.length; i++) { var myField = myFields[i]; var myTagName = myField.tagName.toLowerCase(); if (myTagName == 'input' || myTagName == 'textarea') { if (myField.placeholder != null) { myField.placeholder = myField.placeholder.replace('*', ''); } } else if (myTagName == 'select') { myField.options[0].innerHTML = myField.options[0].innerHTML.replace('*', ''); } } } }, 100); } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_GB/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> <script> function sticky_relocate() { var window_top = $(window).scrollTop(); var div_top = $('#sticky-anchor').offset().top; if (window_top > div_top) { $('#sticky').addClass('stick'); } else { $('#sticky').removeClass('stick'); } } $(function() { $(window).scroll(sticky_relocate); sticky_relocate(); }); </script>  <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=1035557303" async></script></body></html>