SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bumblebee (Back to overview)

BumbleBee


This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.

References
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220519:bumblebee:20c59e6, author = {Brad Duncan}, title = {{Bumblebee Malware from TransferXL URLs}}, date = {2022-05-19}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28664}, language = {English}, urldate = {2022-05-25} } Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-12OALabsSergei Frankoff
@online{frankoff:20220512:taking:8bf052d, author = {Sergei Frankoff}, title = {{Taking a look at Bumblebee loader}}, date = {2022-05-12}, organization = {OALabs}, url = {https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html}, language = {English}, urldate = {2022-05-17} } Taking a look at Bumblebee loader
BumbleBee
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11SANS ISCBrad Duncan
@online{duncan:20220511:ta578:2128ae0, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28636}, language = {English}, urldate = {2022-05-17} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee
2022-04-29NCC GroupMike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
@online{stokkel:20220429:adventures:7be43ad, author = {Mike Stokkel and Nikolaos Totosis and Nikolaos Pantazopoulos}, title = {{Adventures in the land of BumbleBee – a new malicious loader}}, date = {2022-04-29}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/}, language = {English}, urldate = {2022-04-29} } Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28ProofpointKelsey Merriman, Pim Trouerbach
@online{merriman:20220428:this:4b5ea2a, author = {Kelsey Merriman and Pim Trouerbach}, title = {{This isn't Optimus Prime's Bumblebee but it's Still Transforming}}, date = {2022-04-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming}, language = {English}, urldate = {2022-04-29} } This isn't Optimus Prime's Bumblebee but it's Still Transforming
BumbleBee TA578 TA579
2022-04-27Medium elis531989Eli Salem
@online{salem:20220427:chronicles:c55d826, author = {Eli Salem}, title = {{The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection}}, date = {2022-04-27}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056}, language = {English}, urldate = {2022-04-29} } The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-14CynetMax Malyutin
@online{malyutin:20220414:orion:9db6814, author = {Max Malyutin}, title = {{Orion Threat Alert: Flight of the BumbleBee}}, date = {2022-04-14}, organization = {Cynet}, url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/}, language = {English}, urldate = {2022-05-04} } Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
@online{stolyarov:20220317:exposing:f818c6d, author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/}, language = {English}, urldate = {2022-03-18} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens
@online{stolyarov:20220317:exposing:5f565b6, author = {Vladislav Stolyarov and Benoit Sevens}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti}, language = {English}, urldate = {2022-05-17} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
Yara Rules
[TLP:WHITE] win_bumblebee_auto (20220411 | Detects win.bumblebee.)
rule win_bumblebee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.bumblebee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4055 56 4157 b880000000 e8???????? 482be0 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4055                 | lea                 ecx, dword ptr [0xb718e]
            //   56                   | mov                 ecx, 0x14
            //   4157                 | inc                 esp
            //   b880000000           | lea                 eax, dword ptr [edx + 0x64]
            //   e8????????           |                     
            //   482be0               | jns                 0x1de7

        $sequence_1 = { c74424207f000000 4c8d0df1d71100 8d4a9e 448d42d8 e8???????? 33c0 488b5c2448 }
            // n = 7, score = 100
            //   c74424207f000000     | sub                 esp, eax
            //   4c8d0df1d71100       | push                esi
            //   8d4a9e               | inc                 ecx
            //   448d42d8             | push                esp
            //   e8????????           |                     
            //   33c0                 | mov                 eax, 0x20
            //   488b5c2448           | dec                 eax

        $sequence_2 = { e8???????? 448b84247c020000 448b8c249c020000 448b9424a0020000 448b9c24a4020000 488b8c2448020000 488d942498020000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   448b84247c020000     | mov                 dword ptr [esp + 0x40], eax
            //   448b8c249c020000     | dec                 eax
            //   448b9424a0020000     | mov                 dword ptr [esp + 0x38], edx
            //   448b9c24a4020000     | movups              xmm0, xmmword ptr [esp + 0x38]
            //   488b8c2448020000     | jb                  0x738
            //   488d942498020000     | cmp                 cl, 0x2e

        $sequence_3 = { 4c8d0ddc0a1000 4d8b06 488d15da0a1000 4889442430 b906000000 488d0509210d00 4889442428 }
            // n = 7, score = 100
            //   4c8d0ddc0a1000       | xor                 edx, edx
            //   4d8b06               | mov                 dword ptr [eax + 0x230], 2
            //   488d15da0a1000       | dec                 eax
            //   4889442430           | mov                 ebx, dword ptr [esp + 0x58]
            //   b906000000           | dec                 eax
            //   488d0509210d00       | add                 esp, 0x40
            //   4889442428           | pop                 esi

        $sequence_4 = { c744242001000000 e8???????? 90 488d0547351b00 488903 488d05dd2f1b00 48894348 }
            // n = 7, score = 100
            //   c744242001000000     | dec                 esp
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [esp + 0x28], edi
            //   488d0547351b00       | mov                 eax, dword ptr [ecx]
            //   488903               | dec                 eax
            //   488d05dd2f1b00       | mov                 ecx, ebp
            //   48894348             | mov                 dword ptr [esp + 0x20], eax

        $sequence_5 = { c783b000000018000000 89b3ac000000 4885ff 7405 488bc7 eb0e 488b8b98000000 }
            // n = 7, score = 100
            //   c783b000000018000000     | jne    0xfa2
            //   89b3ac000000         | pop                 ebp
            //   4885ff               | ret                 
            //   7405                 | dec                 eax
            //   488bc7               | lea                 ecx, dword ptr [edx + 0x100]
            //   eb0e                 | dec                 eax
            //   488b8b98000000       | lea                 ecx, dword ptr [edx + 0xd8]

        $sequence_6 = { c74424203d000000 4c8d0d6f4a0f00 b90d000000 448d4282 e8???????? 33c0 4883c430 }
            // n = 7, score = 100
            //   c74424203d000000     | mov                 dword ptr [esp], ecx
            //   4c8d0d6f4a0f00       | dec                 eax
            //   b90d000000           | lea                 edx, dword ptr [edx*4]
            //   448d4282             | inc                 ecx
            //   e8????????           |                     
            //   33c0                 | shr                 ecx, 0x18
            //   4883c430             | dec                 esi

        $sequence_7 = { 4c89b8e0030000 f686dc01000040 740b 498bd5 488bce e8???????? 488b8e90000000 }
            // n = 7, score = 100
            //   4c89b8e0030000       | dec                 eax
            //   f686dc01000040       | mov                 dword ptr [eax + 0x2d8], ecx
            //   740b                 | dec                 eax
            //   498bd5               | mov                 eax, dword ptr [ebx + 0x90]
            //   488bce               | mov                 dword ptr [eax + 0x30c], ecx
            //   e8????????           |                     
            //   488b8e90000000       | dec                 eax

        $sequence_8 = { 7f5f 85f6 78a6 85c0 7557 89b3ac000000 4885ff }
            // n = 7, score = 100
            //   7f5f                 | add                 edx, 0x10
            //   85f6                 | dec                 eax
            //   78a6                 | cmp                 eax, 0xf
            //   85c0                 | dec                 eax
            //   7557                 | lea                 edx, dword ptr [0xd3b5f]
            //   89b3ac000000         | inc                 ebp
            //   4885ff               | xor                 ecx, ecx

        $sequence_9 = { e9???????? 488d054d691b00 48c7410805000000 e9???????? 488d0541691b00 48c7410804000000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d054d691b00       | mov                 edx, 0x125
            //   48c7410805000000     | mov                 dword ptr [esp + 0x20], 0x16a
            //   e9????????           |                     
            //   488d0541691b00       | dec                 esp
            //   48c7410804000000     | lea                 ecx, dword ptr [0xa2464]
            //   e9????????           |                     

    condition:
        7 of them and filesize < 4758528
}
[TLP:WHITE] win_bumblebee_w0   (20220330 | BumbleBee / win.bumblebee)
rule win_bumblebee_w0 {
    meta:
        author = "@AndreGironda"
        description = "BumbleBee / win.bumblebee"
        reference_md5 = "e6a046d1baa7cd2100bdf48102b8a144"
	    date = "March 29, 2022"
	    tlp = "White"

    malpedia_rule_date = "20220330"
    malpedia_hash = ""
	malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee"
	malpedia_version = "20220330"
	malpedia_license = "CC BY-NC-SA 4.0"
	malpedia_sharing = "TLP:WHITE"
    strings:
	$hex_140001d53 = { 48 8b 05 06 44 00 00 41 81 ea 06 28 00 00 49 31 80 48 02 00 00 49 8b 80 c8 00 00 00 48 05 28 01 00 00 48 01 41 08 49 8b }
	$hex_18000927a = { 48 8d 4c 24 50 e8 cc cc ff ff 90 4c 8d 45 b0 48 8d 54 24 50 48 8d 8d 00 01 00 00 e8 26 d3 ff ff 90 48 8b 44 24 68 48 83 f8 10 72 4a 48 ff c0 48 }
    condition:
        any of them
}
Download all Yara Rules