Bumblebee
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.(Citation: Cybereason Bumblebee August 2022) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Bumblebee can use PowerShell for execution.(Citation: Medium Ali Salem Bumblebee April 2022) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Bumblebee can use `cmd.exe` to drop and run files.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
Bumblebee can create a Visual Basic script to enable persistence.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Bumblebee has the ability to base64 encode C2 server responses.(Citation: Proofpoint Bumblebee April 2022) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Bumblebee can encrypt C2 requests and responses with RC4(Citation: Proofpoint Bumblebee April 2022) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Bumblebee can uninstall its loader through the use of a `Sdl` command.(Citation: Proofpoint Bumblebee April 2022) |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Bumblebee can use a COM object to execute queries to gather system information.(Citation: Proofpoint Bumblebee April 2022) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.(Citation: Medium Ali Salem Bumblebee April 2022) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Bumblebee has gained execution through luring users into opening malicious attachments.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022) |
| .002 | Phishing: Spearphishing Link |
Bumblebee has been spread through e-mail campaigns with malicious links.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022) |
||
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
| .004 | Process Injection: Asynchronous Procedure Call |
Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.(Citation: Proofpoint Bumblebee April 2022) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Bumblebee can identify specific analytical tools based on running processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022) |
| Enterprise | T1218 | .008 | System Binary Proxy Execution: Odbcconf |
Bumblebee can use `odbcconf.exe` to run DLLs on targeted hosts.(Citation: Cybereason Bumblebee August 2022) |
| .011 | System Binary Proxy Execution: Rundll32 |
Bumblebee has used `rundll32` for execution of the loader component.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
||
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022) |
| .002 | User Execution: Malicious File |
Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.(Citation: Medium Ali Salem Bumblebee April 2022) |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Bumblebee has the ability to set a hardcoded and randomized sleep interval.(Citation: Proofpoint Bumblebee April 2022) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1011 | EXOTIC LILY |
(Citation: Google EXOTIC LILY March 2022) |
References
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
- Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.