Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down...
Continuing a string of successful botnet takedowns, on Thursday, May 30th 2024, a coalition of international law enforcement agencies announced "Operation Endgame". This effort targeted multiple botnets such as IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee, as well as some of the operators of these botnets. These botnets played a key part in enabling ransomware, thereby causing damages to society estimated to be over a hundred million euros. This coordinated effort is the largest operation ever against botnets involved with ransomware.
Deep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.
Bumblebee is a malware loader first discovered in March 2022. It was associated with Conti group and was being used as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including ransomware.
IcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at least 2017 and has recently been observed shifting some of its focus to malware delivery.
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.
The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
The spring of 2022 saw a spike in activity of Bumblebee loader, a recent threat that has garnered a lot of attention due to its many links to several well-known malware families.
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. …
Delivers Payload Using Post Exploitation Framework
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.
Bumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc. It also downloads other types of malware such as ransomware, trojans, etc.
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
