Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Bumblebee

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)
ID: S1039
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 19 Aug 2022
Last Modified: 17 Sep 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.(Citation: Cybereason Bumblebee August 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Bumblebee can use PowerShell for execution.(Citation: Medium Ali Salem Bumblebee April 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

Bumblebee can use `cmd.exe` to drop and run files.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)

.005 Command and Scripting Interpreter: Visual Basic

Bumblebee can create a Visual Basic script to enable persistence.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Bumblebee has the ability to base64 encode C2 server responses.(Citation: Proofpoint Bumblebee April 2022)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bumblebee can encrypt C2 requests and responses with RC4(Citation: Proofpoint Bumblebee April 2022)

Enterprise T1070 .004 Indicator Removal: File Deletion

Bumblebee can uninstall its loader through the use of a `Sdl` command.(Citation: Proofpoint Bumblebee April 2022)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Bumblebee can use a COM object to execute queries to gather system information.(Citation: Proofpoint Bumblebee April 2022)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.(Citation: Medium Ali Salem Bumblebee April 2022)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Bumblebee has gained execution through luring users into opening malicious attachments.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022)

.002 Phishing: Spearphishing Link

Bumblebee has been spread through e-mail campaigns with malicious links.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

.004 Process Injection: Asynchronous Procedure Call

Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.(Citation: Proofpoint Bumblebee April 2022)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Bumblebee can identify specific analytical tools based on running processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022)

Enterprise T1218 .008 System Binary Proxy Execution: Odbcconf

Bumblebee can use `odbcconf.exe` to run DLLs on targeted hosts.(Citation: Cybereason Bumblebee August 2022)

.011 System Binary Proxy Execution: Rundll32

Bumblebee has used `rundll32` for execution of the loader component.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Enterprise T1204 .001 User Execution: Malicious Link

Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)

.002 User Execution: Malicious File

Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.(Citation: Medium Ali Salem Bumblebee April 2022)

.003 Virtualization/Sandbox Evasion: Time Based Evasion

Bumblebee has the ability to set a hardcoded and randomized sleep interval.(Citation: Proofpoint Bumblebee April 2022)

Groups That Use This Software

ID Name References
G1038 TA578

(Citation: Latrodectus APR 2024)

G1011 EXOTIC LILY

(Citation: Google EXOTIC LILY March 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.