SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bumblebee (Back to overview)

BumbleBee

aka: COLDTRAIN, SHELLSTING, Shindig

Actor(s): TA578, TA579


This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.

References
2023-04-20SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20230420:bumblebee:c69430d, author = {Counter Threat Unit ResearchTeam}, title = {{Bumblebee Malware Distributed Via Trojanized Installer Downloads}}, date = {2023-04-20}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads}, language = {English}, urldate = {2023-04-22} } Bumblebee Malware Distributed Via Trojanized Installer Downloads
BumbleBee Cobalt Strike
2023-04-18Twitter (@threatinsight)Threat Insight
@online{insight:20230418:ta581:745cfb5, author = {Threat Insight}, title = {{Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware}}, date = {2023-04-18}, organization = {Twitter (@threatinsight)}, url = {https://twitter.com/threatinsight/status/1648330456364883968}, language = {English}, urldate = {2023-04-22} } Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware
BumbleBee
2023-04-16YouTube (botconf eu)Suweera De Souza, Crowdstrike Technical Analysis Cell (TAC)
@online{souza:20230416:tracking:62b0316, author = {Suweera De Souza and Crowdstrike Technical Analysis Cell (TAC)}, title = {{Tracking Bumblebee’s Development}}, date = {2023-04-16}, organization = {YouTube (botconf eu)}, url = {https://www.youtube.com/watch?v=JoKJNfLAc0Y}, language = {English}, urldate = {2023-04-22} } Tracking Bumblebee’s Development
BumbleBee
2023-04-16BotconfSuweera De Souza
@techreport{souza:20230416:tracking:3b8d89c, author = {Suweera De Souza}, title = {{Tracking Bumblebee’s Development}}, date = {2023-04-16}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf}, language = {English}, urldate = {2023-05-23} } Tracking Bumblebee’s Development
BumbleBee
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-11SEC ConsultAngelo Violetti
@online{violetti:20230411:bumblebee:e09680b, author = {Angelo Violetti}, title = {{BumbleBee hunting with a Velociraptor}}, date = {2023-04-11}, organization = {SEC Consult}, url = {https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/}, language = {English}, urldate = {2023-04-14} } BumbleBee hunting with a Velociraptor
BumbleBee
2023-03-29KrakzPierre Le Bourhis
@online{bourhis:20230329:bumblebee:2cb17f7, author = {Pierre Le Bourhis}, title = {{BumbleBee notes}}, date = {2023-03-29}, organization = {Krakz}, url = {https://blog.krakz.fr/articles/bumblebee/}, language = {English}, urldate = {2023-04-06} } BumbleBee notes
BumbleBee
2023-03-28CerberoErik Pistelli
@online{pistelli:20230328:reversing:6838d55, author = {Erik Pistelli}, title = {{Reversing Complex PowerShell Malware}}, date = {2023-03-28}, organization = {Cerbero}, url = {https://blog.cerbero.io/?p=2617}, language = {English}, urldate = {2023-04-03} } Reversing Complex PowerShell Malware
BumbleBee
2023-03-040xToxin Labs@0xToxin
@online{0xtoxin:20230304:bumblebee:810e7fc, author = {@0xToxin}, title = {{Bumblebee DocuSign Campaign}}, date = {2023-03-04}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/}, language = {English}, urldate = {2023-05-17} } Bumblebee DocuSign Campaign
BumbleBee
2023-02-03MandiantKimberly Goody, Genevieve Stark
@online{goody:20230203:float:5150a2b, author = {Kimberly Goody and Genevieve Stark}, title = {{Float Like a Butterfly Sting Like a Bee}}, date = {2023-02-03}, organization = {Mandiant}, url = {https://www.youtube.com/watch?v=pIXl79IPkLI}, language = {English}, urldate = {2023-02-21} } Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2023-01-19CiscoGuilherme Venere
@online{venere:20230119:following:c60f349, author = {Guilherme Venere}, title = {{Following the LNK metadata trail}}, date = {2023-01-19}, organization = {Cisco}, url = {https://blog.talosintelligence.com/following-the-lnk-metadata-trail}, language = {English}, urldate = {2023-04-06} } Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2023-01-09IntrinsecIntrinsec, CTI Intrinsec
@online{intrinsec:20230109:emotet:202716f, author = {Intrinsec and CTI Intrinsec}, title = {{Emotet returns and deploys loaders}}, date = {2023-01-09}, organization = {Intrinsec}, url = {https://www.intrinsec.com/emotet-returns-and-deploys-loaders/}, language = {English}, urldate = {2023-01-10} } Emotet returns and deploys loaders
BumbleBee Emotet IcedID
2022-11-16ProofpointPim Trouerbach, Axel F
@online{trouerbach:20221116:comprehensive:8278b4e, author = {Pim Trouerbach and Axel F}, title = {{A Comprehensive Look at Emotet Virus’ Fall 2022 Return}}, date = {2022-11-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return}, language = {English}, urldate = {2022-12-29} } A Comprehensive Look at Emotet Virus’ Fall 2022 Return
BumbleBee Emotet IcedID
2022-11-10IntezerNicole Fishbein
@online{fishbein:20221110:how:6b334be, author = {Nicole Fishbein}, title = {{How LNK Files Are Abused by Threat Actors}}, date = {2022-11-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/}, language = {English}, urldate = {2022-11-11} } How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221027:raspberry:b6d1ce4, author = {Microsoft Security Threat Intelligence}, title = {{Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity}}, date = {2022-10-27}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/}, language = {English}, urldate = {2023-03-13} } Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-06Twitter (@ESETresearch)ESET Research
@online{research:20221006:bumblebee:bd949dd, author = {ESET Research}, title = {{Tweet on Bumblebee being modularized like trickbot}}, date = {2022-10-06}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1577963080096555008}, language = {English}, urldate = {2022-10-10} } Tweet on Bumblebee being modularized like trickbot
BumbleBee
2022-10-03Check PointMarc Salinas Fernandez
@online{fernandez:20221003:bumblebee:25732bf, author = {Marc Salinas Fernandez}, title = {{Bumblebee: increasing its capacity and evolving its TTPs}}, date = {2022-10-03}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/}, language = {English}, urldate = {2022-10-07} } Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26The DFIR ReportThe DFIR Report
@online{report:20220926:bumblebee:bce1e92, author = {The DFIR Report}, title = {{BumbleBee: Round Two}}, date = {2022-09-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/}, language = {English}, urldate = {2022-10-04} } BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-07cybleCyble
@online{cyble:20220907:bumblebee:f4baf9f, author = {Cyble}, title = {{Bumblebee Returns With New Infection Technique}}, date = {2022-09-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/}, language = {English}, urldate = {2022-09-16} } Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike
2022-09-05Infinitum ITArda Büyükkaya
@online{bykkaya:20220905:bumblebee:ea43ba9, author = {Arda Büyükkaya}, title = {{Bumblebee Loader Malware Analysis}}, date = {2022-09-05}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/}, language = {English}, urldate = {2022-09-06} } Bumblebee Loader Malware Analysis
BumbleBee
2022-08-24MicrosoftMicrosoft Security Experts
@online{experts:20220824:looking:599689a, author = {Microsoft Security Experts}, title = {{Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks}}, date = {2022-08-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks}, language = {English}, urldate = {2022-08-30} } Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
BumbleBee Sliver
2022-08-24Deep instinctDeep Instinct Threat Lab
@online{lab:20220824:dark:e9615d7, author = {Deep Instinct Threat Lab}, title = {{The Dark Side of Bumblebee Malware Loader}}, date = {2022-08-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader}, language = {English}, urldate = {2022-09-06} } The Dark Side of Bumblebee Malware Loader
BumbleBee
2022-08-18IBMCharlotte Hammond, Ole Villadsen
@online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-08-17CybereasonCybereason Global SOC Team
@online{team:20220817:bumblebee:56dc043, author = {Cybereason Global SOC Team}, title = {{Bumblebee Loader – The High Road to Enterprise Domain Control}}, date = {2022-08-17}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control}, language = {English}, urldate = {2022-08-19} } Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike
2022-08-10WeixinRed Raindrop Team
@online{team:20220810:operation:cdad302, author = {Red Raindrop Team}, title = {{Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe}}, date = {2022-08-10}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g}, language = {Chinese}, urldate = {2022-08-15} } Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike
2022-08-08The DFIR ReportThe DFIR Report
@online{report:20220808:bumblebee:74d81a8, author = {The DFIR Report}, title = {{BumbleBee Roasts Its Way to Domain Admin}}, date = {2022-08-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/}, language = {English}, urldate = {2022-08-09} } BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-08-04CloudsekAnandeshwar Unnikrishnan, Aastha Mittal
@online{unnikrishnan:20220804:technical:f03f8fa, author = {Anandeshwar Unnikrishnan and Aastha Mittal}, title = {{Technical Analysis of Bumblebee Malware Loader}}, date = {2022-08-04}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/}, language = {English}, urldate = {2022-10-24} } Technical Analysis of Bumblebee Malware Loader
BumbleBee
2022-08-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20220803:flight:a8efd82, author = {Brad Duncan}, title = {{Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware}}, date = {2022-08-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/}, language = {English}, urldate = {2022-08-08} } Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-07-17ResecurityResecurity
@online{resecurity:20220717:shortcutbased:6cd77fb, author = {Resecurity}, title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}}, date = {2022-07-17}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise}, language = {English}, urldate = {2022-07-28} } Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-07IBMOle Villadsen, Charlotte Hammond, Kat Weinberger
@online{villadsen:20220707:unprecedented:d0a6add, author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger}, title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}}, date = {2022-07-07}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine}, language = {English}, urldate = {2022-07-12} } Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-06-28SymantecThreat Hunter Team, Vishal Kamble
@online{team:20220628:bumblebee:29809dd, author = {Threat Hunter Team and Vishal Kamble}, title = {{Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem}}, date = {2022-06-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime}, language = {English}, urldate = {2022-07-20} } Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
BumbleBee
2022-06-14RiskIQJordan Herman
@online{herman:20220614:riskiq:2007c54, author = {Jordan Herman}, title = {{RiskIQ: Identifying BumbleBee Command and Control Servers}}, date = {2022-06-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0b211905/description}, language = {English}, urldate = {2023-04-06} } RiskIQ: Identifying BumbleBee Command and Control Servers
BumbleBee
2022-06-13SekoiaThreat & Detection Research Team
@online{team:20220613:bumblebee:0a56342, author = {Threat & Detection Research Team}, title = {{BumbleBee: a new trendy loader for Initial Access Brokers}}, date = {2022-06-13}, organization = {Sekoia}, url = {https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/}, language = {English}, urldate = {2022-06-17} } BumbleBee: a new trendy loader for Initial Access Brokers
BumbleBee
2022-06-07cybleCyble
@online{cyble:20220607:bumblebee:9f2dc4a, author = {Cyble}, title = {{Bumblebee Loader on The Rise}}, date = {2022-06-07}, organization = {cyble}, url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/}, language = {English}, urldate = {2022-06-09} } Bumblebee Loader on The Rise
BumbleBee Cobalt Strike
2022-05-25Team CymruS2 Research Team
@online{team:20220525:bablosoft:90f50c4, author = {S2 Research Team}, title = {{Bablosoft; Lowering the Barrier of Entry for Malicious Actors}}, date = {2022-05-25}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/}, language = {English}, urldate = {2022-05-29} } Bablosoft; Lowering the Barrier of Entry for Malicious Actors
BlackGuard BumbleBee RedLine Stealer
2022-05-25LogpointLogpoint
@techreport{logpoint:20220525:buzz:13c148a, author = {Logpoint}, title = {{Buzz of the Bumblebee – A new malicious loader}}, date = {2022-05-25}, institution = {Logpoint}, url = {https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf}, language = {English}, urldate = {2023-04-06} } Buzz of the Bumblebee – A new malicious loader
BumbleBee
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220519:bumblebee:20c59e6, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28664}, language = {English}, urldate = {2022-05-25} } Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220519:bumblebee:0703c7d, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664}, language = {English}, urldate = {2023-04-06} } Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-12OALabsSergei Frankoff
@online{frankoff:20220512:taking:8bf052d, author = {Sergei Frankoff}, title = {{Taking a look at Bumblebee loader}}, date = {2022-05-12}, organization = {OALabs}, url = {https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html}, language = {English}, urldate = {2022-05-17} } Taking a look at Bumblebee loader
BumbleBee
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11SANS ISCBrad Duncan
@online{duncan:20220511:ta578:2128ae0, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28636}, language = {English}, urldate = {2022-05-17} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee
2022-05-08Threat hunting with hints of incident responseJouni Mikkola
@online{mikkola:20220508:bzz:ee88973, author = {Jouni Mikkola}, title = {{Bzz.. Bzz.. Bumblebee loader}}, date = {2022-05-08}, organization = {Threat hunting with hints of incident response}, url = {https://threathunt.blog/bzz-bzz-bumblebee-loader}, language = {English}, urldate = {2023-04-06} } Bzz.. Bzz.. Bumblebee loader
BumbleBee
2022-04-29NCC GroupMike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
@online{stokkel:20220429:adventures:7be43ad, author = {Mike Stokkel and Nikolaos Totosis and Nikolaos Pantazopoulos}, title = {{Adventures in the land of BumbleBee – a new malicious loader}}, date = {2022-04-29}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/}, language = {English}, urldate = {2022-04-29} } Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28ProofpointKelsey Merriman, Pim Trouerbach
@online{merriman:20220428:this:4b5ea2a, author = {Kelsey Merriman and Pim Trouerbach}, title = {{This isn't Optimus Prime's Bumblebee but it's Still Transforming}}, date = {2022-04-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming}, language = {English}, urldate = {2022-04-29} } This isn't Optimus Prime's Bumblebee but it's Still Transforming
BumbleBee TA578 TA579
2022-04-28Bleeping ComputerIonut Ilascu
@online{ilascu:20220428:new:b351960, author = {Ionut Ilascu}, title = {{New Bumblebee malware replaces Conti's BazarLoader in cyberattacks}}, date = {2022-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/}, language = {English}, urldate = {2022-07-01} } New Bumblebee malware replaces Conti's BazarLoader in cyberattacks
BumbleBee
2022-04-27Medium elis531989Eli Salem
@online{salem:20220427:chronicles:c55d826, author = {Eli Salem}, title = {{The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection}}, date = {2022-04-27}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056}, language = {English}, urldate = {2022-04-29} } The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-14CynetMax Malyutin
@online{malyutin:20220414:orion:9db6814, author = {Max Malyutin}, title = {{Orion Threat Alert: Flight of the BumbleBee}}, date = {2022-04-14}, organization = {Cynet}, url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/}, language = {English}, urldate = {2022-05-04} } Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
@online{stolyarov:20220317:exposing:f818c6d, author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/}, language = {English}, urldate = {2022-03-18} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens
@online{stolyarov:20220317:exposing:5f565b6, author = {Vladislav Stolyarov and Benoit Sevens}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti}, language = {English}, urldate = {2022-05-17} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
2022aspiretsMichael Lamb
@online{lamb:2022:bumblebee:133c06b, author = {Michael Lamb}, title = {{Bumblebee Malware Loader: Threat Analysis}}, date = {2022}, organization = {aspirets}, url = {https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/}, language = {English}, urldate = {2023-04-06} } Bumblebee Malware Loader: Threat Analysis
BumbleBee
2021-09-10GigamonJoe Slowik
@online{slowik:20210910:rendering:59082b0, author = {Joe Slowik}, title = {{Rendering Threats: A Network Perspective}}, date = {2021-09-10}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/}, language = {English}, urldate = {2023-04-06} } Rendering Threats: A Network Perspective
BumbleBee Cobalt Strike
2021-09-09Trend MicroTrend Micro
@online{micro:20210909:remote:17382af, author = {Trend Micro}, title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}}, date = {2021-09-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html}, language = {English}, urldate = {2023-04-06} } Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
BumbleBee Cobalt Strike
Yara Rules
[TLP:WHITE] win_bumblebee_auto (20230407 | Detects win.bumblebee.)
rule win_bumblebee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.bumblebee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bdd 48895c2458 488b4a08 4885c9 7443 }
            // n = 5, score = 2300
            //   8bdd                 | movzx               ecx, byte ptr [eax + edi*4 + 0x1bf3a2]
            //   48895c2458           | movzx               esi, byte ptr [eax + edi*4 + 0x1bf3a3]
            //   488b4a08             | mov                 ebx, ecx
            //   4885c9               | dec                 eax
            //   7443                 | shl                 ebx, 2

        $sequence_1 = { 33c0 890424 488902 48894208 }
            // n = 4, score = 2300
            //   33c0                 | mov                 dword ptr [esp + 0x130], eax
            //   890424               | je                  0x1f46
            //   488902               | sub                 eax, 0x57381ae9
            //   48894208             | mov                 dword ptr [ebp - 0x144], eax

        $sequence_2 = { 488b4dc8 e8???????? 488b4dc8 49894d00 }
            // n = 4, score = 2300
            //   488b4dc8             | dec                 eax
            //   e8????????           |                     
            //   488b4dc8             | mov                 dword ptr [esp + 0x28], eax
            //   49894d00             | dec                 esp

        $sequence_3 = { e8???????? 4885db 7410 488b4608 }
            // n = 4, score = 2300
            //   e8????????           |                     
            //   4885db               | mov                 eax, dword ptr [ecx + eax*4 + 0x76930]
            //   7410                 | dec                 ecx
            //   488b4608             | add                 eax, ecx

        $sequence_4 = { 48895c2458 488b4a08 4885c9 7443 488b01 488d542450 ff5028 }
            // n = 7, score = 2300
            //   48895c2458           | dec                 eax
            //   488b4a08             | lea                 eax, [0xd3372]
            //   4885c9               | dec                 eax
            //   7443                 | mov                 dword ptr [ebp - 0x20], eax
            //   488b01               | dec                 eax
            //   488d542450           | lea                 eax, [0xd32f7]
            //   ff5028               | dec                 eax

        $sequence_5 = { 85c0 740d 836500fe 488b4d48 }
            // n = 4, score = 2300
            //   85c0                 | mov                 edi, 0xffffffff
            //   740d                 | add                 dword ptr [eax], eax
            //   836500fe             | add                 byte ptr [eax - 0x73], cl
            //   488b4d48             | lea                 esp, [eax + 2]

        $sequence_6 = { 7410 488b4d48 49890e eb0b }
            // n = 4, score = 2300
            //   7410                 | dec                 ecx
            //   488b4d48             | mov                 ecx, esi
            //   49890e               | dec                 esp
            //   eb0b                 | mov                 eax, edi

        $sequence_7 = { 4883ec38 48c7442420feffffff 83c8ff f00fc105???????? 83f801 7507 ff15???????? }
            // n = 7, score = 2300
            //   4883ec38             | mov                 dword ptr [esp + 0x20], 0xfffffffe
            //   48c7442420feffffff     | dec    eax
            //   83c8ff               | mov                 eax, edx
            //   f00fc105????????     |                     
            //   83f801               | dec                 eax
            //   7507                 | mov                 ebx, ecx
            //   ff15????????         |                     

        $sequence_8 = { 483bc1 7706 e8???????? cc 488bc8 e8???????? 488d5827 }
            // n = 7, score = 2300
            //   483bc1               | mov                 ebx, dword ptr [esp + 0x68]
            //   7706                 | dec                 eax
            //   e8????????           |                     
            //   cc                   | mov                 ebp, dword ptr [esp + 0x70]
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   488d5827             | mov                 esi, dword ptr [esp + 0x78]

        $sequence_9 = { ff15???????? 33c0 f00fc105???????? 85c0 }
            // n = 4, score = 2300
            //   ff15????????         |                     
            //   33c0                 | je                  0x3e2
            //   f00fc105????????     |                     
            //   85c0                 | dec                 eax

    condition:
        7 of them and filesize < 4825088
}
[TLP:WHITE] win_bumblebee_w0   (20220330 | BumbleBee / win.bumblebee)
rule win_bumblebee_w0 {
    meta:
        author = "@AndreGironda"
        description = "BumbleBee / win.bumblebee"
        reference_md5 = "e6a046d1baa7cd2100bdf48102b8a144"
	    date = "March 29, 2022"
	    tlp = "White"

    malpedia_rule_date = "20220330"
    malpedia_hash = ""
	malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
	malpedia_version = "20220330"
	malpedia_license = "CC BY-NC-SA 4.0"
	malpedia_sharing = "TLP:WHITE"
    strings:
	$hex_140001d53 = { 48 8b 05 06 44 00 00 41 81 ea 06 28 00 00 49 31 80 48 02 00 00 49 8b 80 c8 00 00 00 48 05 28 01 00 00 48 01 41 08 49 8b }
	$hex_18000927a = { 48 8d 4c 24 50 e8 cc cc ff ff 90 4c 8d 45 b0 48 8d 54 24 50 48 8d 8d 00 01 00 00 e8 26 d3 ff ff 90 48 8b 44 24 68 48 83 f8 10 72 4a 48 ff c0 48 }
    condition:
        any of them
}
Download all Yara Rules