In this report we will share our detailed analysis about the recent Bumblebee Loader campaign that is using VHD disk instead of ISO images, with the new Powershell loader.
According to our research Bumblebee Loader using decoyed LNK file as a first malware execution point, when a user clicks on the LNK file it executes the Obfuscated Powershell code on the victim device, which is used to load Bumblebee Malware as a DLL into the Powershell memory, this technique is called as Fileless Malware Execution with PowerShell.Read more
- Bumblebee first came to light in March 2022 when Google’s Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed Exotic Lily with ties to the TrickBot Malware and the larger Conti Ransomware collectives.
- Distribution of the malware is done by phishing emails with an attachment or a link to a malicious archive containing Bumblebee malware. The initial execution relies on the end-user execution which has to extract the archive, mount an ISO / VHD file, and click a Windows shortcut (LNK) file that loads the malware itself.
- In this report we will share our detailed analysis about the recent Bumblebee Loader campaign that is using VHD disk instead of ISO images, with the new Powershell loader.
- According to our research Bumblebee Loader using decoyed LNK file as a first malware execution point, when a user clicks on the LNK file it executes the Obfuscated Powershell code on the victim device, which is used to load Bumblebee Malware as a DLL into the Powershell memory, this technique is called as Fileless Malware Execution with PowerShell.
Execution Flow of New Bumblebee Loader Campaign
One of the newest campaigns of Bumblebee malware has been uploaded to VirusTotal on “2022-09-01 14:53:31 UTC”.
According to our research, this sample has an interesting updates in it, one of the interesting finding at this new campaign is, Bumblebee Loader using VHD disks for a delivery mechanism that contains a decoyed Shortcut (LNK) file and it can be triggered by a simple user click, which is being used to execute a malicious Powershell script with in the same directory named as quotefile.ps1.
After the execution of the LNK file it’s using Powershell.exe to load the quotefile.ps1. Executed powershell code as follows :
|powershell.exe -ep bypass -file quotefile.ps1|
The Malicious Powershell script “quotefile.ps1” used to execute the Bumblebee Malware itself as a DLL inside the memory of Powershell.exe, the same technique can be found in a open source project called PowerSploit, we identified that “quotefile.ps1” using Invoke-ReflectivePEInjection tool to load the Bumblebee binary in-memory. Since there is no disk write operation for Bumblebee DLL itself, this technique is used for the Anti Malware evasion.
Malicious VHD Disk Used for Initial Attack Vector
Extracted VHD disk can be seen in the below picture, just like an ISO image , VHD disks also can be mounted by a user click , this feature is being abused by Threat Actors to store malware inside VHD disk.
Quote shortcut file (LNK) have Command Line to be executed after a user click
Obfuscated Powershell Code Loads the Bumblebee DLL In-Memory
First stage PowerShell loader – “quoutefile.ps1”
Once it’s executed by the LNK file, “quoutefile.ps1” will hide the open PowerShell window and continue to running background on the victim machine, this action done by without “-windowstyle hidden” PowerShell command line parameter, it have own function to hide the PowerShell windows to avoid Anti Malware detection.
PowerShell code snippet to hide open window.
The first powershell stage itself was designed to hide suspicious strings and evade static scanning by performing Obfuscation (Base64 and Gzip). Obfuscated code stored itself on “elem” variables, this can be seen in the image below.
“Obfuscated” Gzip streams.
The code then iterates through the array of Gzip compressed streams, decompresses them, and forms the second stage of powershell code block which will then be executed by Invoke-Expression $dtPrEr.
Second stage is deobfuscated and executed.
Deobfuscation of Malicious Powershell Code
We can easily deobsfacte this large chunk of encoded powershell code and get the second stage powershell code as deobfuscated by executing the slightly modified version of first stage on a Powershell_ISE, we need it to make some modifications on first stage powershell code to avoid being closed after the execution, simpilly we just need it delete the hide open window function
Slightly modified version of first stage Powershell Code.
Now we can execute the modified first stage powershell code to dump the $dtPrEr variable which contains deobfuscated second stage malicious code.
Second stage PowerShell loader – Dumping $dtPrEr
After deobfuscating, we can identify the second stage Powershell code that was being stolen from a open source project called PowerSploit’s Code Execution tool (“Invoke-ReflectivePEInjection.ps1”), it’s being used to load an executable binary without touching the disk by abusing Powershell.exe (Fileless in memory execution).
Second stage powershell script deobfuscated :
Bumblebee DLL stored as hex format inside the second stage powershell code that is being used to execute the Bumblebee in memory.
Bumblebee malware samples have a very common export table called setPath to execute the malicious code, we can also see the DLL export table on deobfuscated powershell code.
The image below shows the code similarities between the second stage PowerShell script present in the memory of “PowerShell.exe” and the Invoke-ReflectivePEInjection code from PowerSploit’s GitHub page.
Obfuscated Second stage PowerShell script.
Code similarities :
From PowerSploit’s Github page.
Extracting the Bumblebee DLL (aswhook.dll)
We can extract the hexadecimal code on second stage powershell code to obtain Bumblebee DLL itself (aswhook.dll):
We can examine the DLL’s Export Table, one of the most interesting one is “setPath”, this same function name being used on older versions of Bumblebee Loader and inside the second stage powershell script we saw the same function name being used to execute the DLL itself properly.
Analysis of Bumblebee DLL (aswhook.dll)
Now we can use the disassembler to analyze the aswhook.dll. Our first finding is, Bumblebee Loader hiding their Import Table to minimize the detection rate from various Anti Malware scanners.
Hidden Windows APIs.
We can identified another EXE (MZ magic header) file that is stored inside same DLL, this is used to for Process Injection :
After the execution of aswhook.dll (Bumblebee Loader), it will execute itself by Process Injection technique and then tries to make connections with multiple Command and Control servers that are controlled by the attacker. In order to extract these C2 Servers, we need an RC4 key because this config file is stored inside the Bumblebee Malware as encrypted.
Extraction of RC4 key is relatively simple because it’s stored as plain text :
Extracted Config File
MITRE ATT&CK Techniques
|Obfuscated Files or Information||T1027|
|System Information Discovery||T1082|
|Security Software Discovery||T1518|
Indicators of Compromise (IOC)
|Command and Control Servers|
|SHA 256 – Samples|