Rewterz Threat Alert – BumbleBee Malware – Active IOCs

November 25, 2022

Severity

Medium

Analysis Summary

The malware loader, Bumblebee, is used to download Cobalt Strike and perhaps other malware such as ransomware. It also replaces the BazarLoader backdoor, which is previously used to transmit ransomware payloads. This new malware is linked to a number of threat actors, including several well-known ransomware.

According to researchers, the appearance of Bumblebee in phishing attempts in March correlates with a drop in the use of BazarLoader for distributing file-encrypting malware.
Bumblebee is distributed in the form of ISO files that contain malicious DLL and shortcut files. It employs different techniques to avoid detection. It can determine virtualization environment processes to prevent operating on virtual machines. Banking information, password, and identity theft are the main impact of this malware.
Bumblebee malware is designed to download and run additional payloads in order to infect computers with other malware. Bumblebee can be used to inject information stealers, cryptocurrency miners, and other malware since it is designed to drop extra payloads. The C2 (Command and Control) server is where Bumblebee gets commands. It is used by attackers to download and execute files directly, inject malicious DLLs, and create operating system persistence. This new malware is linked to a number of threat actors, including several well-known ransomware.

Impact

Credential Theft
Financial Loss
Sensitive Data Exposure

Indicators of Compromise

MD5

a3b049e8a119d332bcb97dc879b387a0
07b711458d0b4240267f7e47b50075d1

SHA-256

fe1bb5d500b07f34859f766d5c9fbb0d8ebcdda7abf393e99c0e01c05b5ca1bb
42a63fe8c0d8f9c2fa090a69d85f5e5b35beef468b58912db56c78dcde79a929

SHA-1

62b6caabbe6c66870f3c4c9b0f665d001124cb64
e2e9feb1b42562cb1f22685667f8299dcdf10042

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.