Hackers use Bumblebee Loader to compromise Active Directory services
The malware loader known as Bumblebee is increasingly being co-opted by threat actors associated with BazarLoader, TrickBot and IcedID in their campaigns to breach target networks for post-exploitation activities.
“Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration,” Cybereason researchers Meroujan Antonyan and Alon Laufer said in a technical paper.
Bumblebee first emerged in March 2022 when Google’s Threat Analysis Group (TAG) unmasked the activities of an early access broker dubbed Exotic Lily, linked to the TrickBot and larger Conti collectives.
Typically provided via initial access acquired through spear-phishing campaigns, the modus operandi has since changed away from documents containing macros in favor of ISO and LNK files, primarily in response to Microsoft’s decision to block macros by default.
“Malware distribution occurs through phishing emails with an attachment or link to a malicious archive containing Bumblebee,” the researchers said. “The initial run relies on the end user running to extract the archive, mount an ISO image file, and click a Windows Shortcut File (LNK).”
The LNK file, on the other hand, contains the command to launch the Bumblebee Loader, which is then used as a conduit for next stage actions such as persistence, privilege escalation, reconnaissance, and information theft. identification.
The Cobalt Strike adversary simulation framework is also used in the attack when gaining elevated privileges on infected endpoints, allowing the threat actor to move laterally across the network. Persistence is achieved by deploying AnyDesk remote desktop software.
In the incident analyzed by Cybereason, the stolen credentials of a highly privileged user were then used to take control of the Active Directory, not to mention the creation of a local user account for the data exfiltration.
“The time it took from initial access to Active Directory compromise was less than two days,” the cybersecurity firm said. “Attacks involving Bumblebee should be treated as critical, […] and this loader is known for delivering ransomware.”