SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bumblebee (Back to overview)

BumbleBee


This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.

References
2022-09-26The DFIR ReportThe DFIR Report
@online{report:20220926:bumblebee:bce1e92, author = {The DFIR Report}, title = {{BumbleBee: Round Two}}, date = {2022-09-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/}, language = {English}, urldate = {2022-09-29} } BumbleBee: Round Two
BumbleBee
2022-09-07cybleCyble
@online{cyble:20220907:bumblebee:f4baf9f, author = {Cyble}, title = {{Bumblebee Returns With New Infection Technique}}, date = {2022-09-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/}, language = {English}, urldate = {2022-09-16} } Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike
2022-09-05Infinitum ITArda Büyükkaya
@online{bykkaya:20220905:bumblebee:ea43ba9, author = {Arda Büyükkaya}, title = {{Bumblebee Loader Malware Analysis}}, date = {2022-09-05}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/}, language = {English}, urldate = {2022-09-06} } Bumblebee Loader Malware Analysis
BumbleBee
2022-08-24MicrosoftMicrosoft Security Experts
@online{experts:20220824:looking:599689a, author = {Microsoft Security Experts}, title = {{Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks}}, date = {2022-08-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks}, language = {English}, urldate = {2022-08-30} } Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
BumbleBee Sliver
2022-08-24Deep instinctDeep Instinct Threat Lab
@online{lab:20220824:dark:e9615d7, author = {Deep Instinct Threat Lab}, title = {{The Dark Side of Bumblebee Malware Loader}}, date = {2022-08-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader}, language = {English}, urldate = {2022-09-06} } The Dark Side of Bumblebee Malware Loader
BumbleBee
2022-08-18IBMCharlotte Hammond, Ole Villadsen
@online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-08-17CybereasonCybereason Global SOC Team
@online{team:20220817:bumblebee:56dc043, author = {Cybereason Global SOC Team}, title = {{Bumblebee Loader – The High Road to Enterprise Domain Control}}, date = {2022-08-17}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control}, language = {English}, urldate = {2022-08-19} } Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike
2022-08-10WeixinRed Raindrop Team
@online{team:20220810:operation:cdad302, author = {Red Raindrop Team}, title = {{Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe}}, date = {2022-08-10}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g}, language = {Chinese}, urldate = {2022-08-15} } Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike
2022-08-08The DFIR ReportThe DFIR Report
@online{report:20220808:bumblebee:74d81a8, author = {The DFIR Report}, title = {{BumbleBee Roasts Its Way to Domain Admin}}, date = {2022-08-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/}, language = {English}, urldate = {2022-08-09} } BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-08-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20220803:flight:a8efd82, author = {Brad Duncan}, title = {{Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware}}, date = {2022-08-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/}, language = {English}, urldate = {2022-08-08} } Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-07-17ResecurityResecurity
@online{resecurity:20220717:shortcutbased:6cd77fb, author = {Resecurity}, title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}}, date = {2022-07-17}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise}, language = {English}, urldate = {2022-07-28} } Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-07IBMOle Villadsen, Charlotte Hammond, Kat Weinberger
@online{villadsen:20220707:unprecedented:d0a6add, author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger}, title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}}, date = {2022-07-07}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine}, language = {English}, urldate = {2022-07-12} } Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-06-28SymantecThreat Hunter Team, Vishal Kamble
@online{team:20220628:bumblebee:29809dd, author = {Threat Hunter Team and Vishal Kamble}, title = {{Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem}}, date = {2022-06-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime}, language = {English}, urldate = {2022-07-20} } Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
BumbleBee
2022-06-13SekoiaThreat & Detection Research Team
@online{team:20220613:bumblebee:0a56342, author = {Threat & Detection Research Team}, title = {{BumbleBee: a new trendy loader for Initial Access Brokers}}, date = {2022-06-13}, organization = {Sekoia}, url = {https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/}, language = {English}, urldate = {2022-06-17} } BumbleBee: a new trendy loader for Initial Access Brokers
BumbleBee
2022-06-07cybleCyble
@online{cyble:20220607:bumblebee:9f2dc4a, author = {Cyble}, title = {{Bumblebee Loader on The Rise}}, date = {2022-06-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/}, language = {English}, urldate = {2022-06-09} } Bumblebee Loader on The Rise
BumbleBee Cobalt Strike
2022-05-25Team CymruS2 Research Team
@online{team:20220525:bablosoft:90f50c4, author = {S2 Research Team}, title = {{Bablosoft; Lowering the Barrier of Entry for Malicious Actors}}, date = {2022-05-25}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/}, language = {English}, urldate = {2022-05-29} } Bablosoft; Lowering the Barrier of Entry for Malicious Actors
BlackGuard BumbleBee RedLine Stealer
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220519:bumblebee:20c59e6, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28664}, language = {English}, urldate = {2022-05-25} } Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-12OALabsSergei Frankoff
@online{frankoff:20220512:taking:8bf052d, author = {Sergei Frankoff}, title = {{Taking a look at Bumblebee loader}}, date = {2022-05-12}, organization = {OALabs}, url = {https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html}, language = {English}, urldate = {2022-05-17} } Taking a look at Bumblebee loader
BumbleBee
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11SANS ISCBrad Duncan
@online{duncan:20220511:ta578:2128ae0, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28636}, language = {English}, urldate = {2022-05-17} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee
2022-04-29NCC GroupMike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
@online{stokkel:20220429:adventures:7be43ad, author = {Mike Stokkel and Nikolaos Totosis and Nikolaos Pantazopoulos}, title = {{Adventures in the land of BumbleBee – a new malicious loader}}, date = {2022-04-29}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/}, language = {English}, urldate = {2022-04-29} } Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28ProofpointKelsey Merriman, Pim Trouerbach
@online{merriman:20220428:this:4b5ea2a, author = {Kelsey Merriman and Pim Trouerbach}, title = {{This isn't Optimus Prime's Bumblebee but it's Still Transforming}}, date = {2022-04-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming}, language = {English}, urldate = {2022-04-29} } This isn't Optimus Prime's Bumblebee but it's Still Transforming
BumbleBee TA578 TA579
2022-04-28Bleeping ComputerIonut Ilascu
@online{ilascu:20220428:new:b351960, author = {Ionut Ilascu}, title = {{New Bumblebee malware replaces Conti's BazarLoader in cyberattacks}}, date = {2022-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/}, language = {English}, urldate = {2022-07-01} } New Bumblebee malware replaces Conti's BazarLoader in cyberattacks
BumbleBee
2022-04-27Medium elis531989Eli Salem
@online{salem:20220427:chronicles:c55d826, author = {Eli Salem}, title = {{The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection}}, date = {2022-04-27}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056}, language = {English}, urldate = {2022-04-29} } The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-14CynetMax Malyutin
@online{malyutin:20220414:orion:9db6814, author = {Max Malyutin}, title = {{Orion Threat Alert: Flight of the BumbleBee}}, date = {2022-04-14}, organization = {Cynet}, url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/}, language = {English}, urldate = {2022-05-04} } Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
@online{stolyarov:20220317:exposing:f818c6d, author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/}, language = {English}, urldate = {2022-03-18} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens
@online{stolyarov:20220317:exposing:5f565b6, author = {Vladislav Stolyarov and Benoit Sevens}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti}, language = {English}, urldate = {2022-05-17} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
Yara Rules
[TLP:WHITE] win_bumblebee_auto (20220808 | Detects win.bumblebee.)
rule win_bumblebee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.bumblebee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 668908 4c8975af 4c8975b7 48c745b70f000000 4c8975af c6459f00 803b00 }
            // n = 7, score = 1400
            //   668908               | mov                 dword ptr [ebp + 0x28], edi
            //   4c8975af             | test                eax, eax
            //   4c8975b7             | je                  0x73d
            //   48c745b70f000000     | dec                 eax
            //   4c8975af             | mov                 dword ptr [esp + 0x68], esi
            //   c6459f00             | dec                 eax
            //   803b00               | lea                 ecx, [0x44c89]

        $sequence_1 = { 48ba0026000001000000 488b4c2428 0f1f00 0fb601 3c20 7714 480fbec0 }
            // n = 7, score = 1400
            //   48ba0026000001000000     | dec    eax
            //   488b4c2428           | lea                 edx, [0x1212d5]
            //   0f1f00               | dec                 eax
            //   0fb601               | mov                 ecx, ebx
            //   3c20                 | dec                 esp
            //   7714                 | mov                 eax, edi
            //   480fbec0             | dec                 eax

        $sequence_2 = { b90e000780 e8???????? 90 488b4c2450 488b01 4c8d45d8 488b13 }
            // n = 7, score = 1400
            //   b90e000780           | lea                 eax, [edx - 0x4c]
            //   e8????????           |                     
            //   90                   | jne                 0xb52
            //   488b4c2450           | mov                 edx, 0x196
            //   488b01               | inc                 ecx
            //   4c8d45d8             | mov                 dword ptr [ecx], 0x28
            //   488b13               | dec                 esp

        $sequence_3 = { c744242000000000 488d442430 4889442470 488bd1 488d4c2430 e8???????? 90 }
            // n = 7, score = 1400
            //   c744242000000000     | add                 dword ptr [ebx + 0x18], 2
            //   488d442430           | or                  edi, 0xffffffff
            //   4889442470           | dec                 ebp
            //   488bd1               | mov                 esp, eax
            //   488d4c2430           | dec                 eax
            //   e8????????           |                     
            //   90                   | mov                 esi, edx

        $sequence_4 = { e8???????? cc 488bde 48895d60 4885db 750b b90e000780 }
            // n = 7, score = 1400
            //   e8????????           |                     
            //   cc                   | dec                 eax
            //   488bde               | lea                 eax, [0x19e844]
            //   48895d60             | dec                 eax
            //   4885db               | mov                 dword ptr [ebx], eax
            //   750b                 | dec                 eax
            //   b90e000780           | lea                 eax, [0x19e882]

        $sequence_5 = { 7541 4533f6 418bfe 0f1f8000000000 498d4dff 49d3e6 4d03f6 }
            // n = 7, score = 1400
            //   7541                 | dec                 esp
            //   4533f6               | lea                 ecx, [0x12107d]
            //   418bfe               | mov                 dword ptr [esp + 0x20], 0x52
            //   0f1f8000000000       | lea                 edx, [eax + 0x6a]
            //   498d4dff             | lea                 ecx, [eax + 4]
            //   49d3e6               | inc                 esp
            //   4d03f6               | lea                 eax, [eax + 0x41]

        $sequence_6 = { 90 488b4c2458 488b01 488b13 ff90b8000000 90 418bc6 }
            // n = 7, score = 1400
            //   90                   | inc                 ecx
            //   488b4c2458           | mov                 eax, 0x11
            //   488b01               | dec                 eax
            //   488b13               | lea                 edx, [0x7107b]
            //   ff90b8000000         | jmp                 0x1a96
            //   90                   | inc                 ecx
            //   418bc6               | cmp                 eax, 4

        $sequence_7 = { 7410 488b4608 4889442428 48895c2420 eb12 48c744242000000000 }
            // n = 6, score = 1400
            //   7410                 | dec                 esp
            //   488b4608             | lea                 esi, [0x111a71]
            //   4889442428           | inc                 esp
            //   48895c2420           | mov                 edx, eax
            //   eb12                 | dec                 eax
            //   48c744242000000000     | mov    edi, edx

        $sequence_8 = { 7404 48896f08 48895f08 4885db 740a 488b03 488bcb }
            // n = 7, score = 1400
            //   7404                 | je                  0x60b
            //   48896f08             | nop                 dword ptr [eax]
            //   48895f08             | dec                 eax
            //   4885db               | dec                 ecx
            //   740a                 | inc                 ebp
            //   488b03               | movzx               ecx, byte ptr [eax]
            //   488bcb               | dec                 esp

        $sequence_9 = { 7244 488b03 eb42 4885ff 75eb 48897910 4883791810 }
            // n = 7, score = 1400
            //   7244                 | mov                 dword ptr [esp + 0x98], edi
            //   488b03               | dec                 esp
            //   eb42                 | arpl                ax, di
            //   4885ff               | dec                 eax
            //   75eb                 | lea                 edx, [0x75a4f]
            //   48897910             | dec                 ecx
            //   4883791810           | mov                 ecx, edi

    condition:
        7 of them and filesize < 4825088
}
[TLP:WHITE] win_bumblebee_w0   (20220330 | BumbleBee / win.bumblebee)
rule win_bumblebee_w0 {
    meta:
        author = "@AndreGironda"
        description = "BumbleBee / win.bumblebee"
        reference_md5 = "e6a046d1baa7cd2100bdf48102b8a144"
	    date = "March 29, 2022"
	    tlp = "White"

    malpedia_rule_date = "20220330"
    malpedia_hash = ""
	malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
	malpedia_version = "20220330"
	malpedia_license = "CC BY-NC-SA 4.0"
	malpedia_sharing = "TLP:WHITE"
    strings:
	$hex_140001d53 = { 48 8b 05 06 44 00 00 41 81 ea 06 28 00 00 49 31 80 48 02 00 00 49 8b 80 c8 00 00 00 48 05 28 01 00 00 48 01 41 08 49 8b }
	$hex_18000927a = { 48 8d 4c 24 50 e8 cc cc ff ff 90 4c 8d 45 b0 48 8d 54 24 50 48 8d 8d 00 01 00 00 e8 26 d3 ff ff 90 48 8b 44 24 68 48 83 f8 10 72 4a 48 ff c0 48 }
    condition:
        any of them
}
Download all Yara Rules