In this report we will share our detailed analysis about the recent Bumblebee Loader campaign that is using VHD disk instead of ISO images, with the new Powershell loader.

According to our research Bumblebee Loader using decoyed LNK file as a first malware execution point, when a user clicks on the LNK file it executes the Obfuscated Powershell code on the victim device, which is used to load Bumblebee Malware as a DLL into the Powershell memory, this technique is called as Fileless Malware Execution with PowerShell.

Executive Summary 

• Bumblebee first came to light in March 2022 when Google’s Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed Exotic Lily with ties to the TrickBot Malware and the larger Conti Ransomware collectives.

• Distribution of the malware is done by phishing emails with an attachment or a link to a malicious archive containing Bumblebee malware. The initial execution relies on the end-user execution which has to extract the archive, mount an ISO / VHD  file, and click a Windows shortcut (LNK) file that loads the malware itself.

• In this report we will share our detailed analysis about the recent Bumblebee Loader campaign that is using VHD disk instead of ISO images, with the new Powershell loader.

• According to our research Bumblebee Loader using decoyed LNK file as a first malware execution point, when a user clicks on the LNK file it executes the Obfuscated Powershell code on the victim device, which is used to load Bumblebee Malware as a DLL into the Powershell memory, this technique is called as Fileless Malware Execution with PowerShell.

Technical Analysis 

Execution Flow of New Bumblebee Loader Campaign

One of the newest campaigns of Bumblebee malware has been uploaded to VirusTotal on “2022-09-01 14:53:31 UTC”. 

According to our research, this sample has an interesting updates in it, one of the interesting finding at this new campaign is, Bumblebee Loader using VHD disks for a delivery mechanism that contains a decoyed Shortcut (LNK) file and it can be triggered by a simple user click, which is being used to execute a malicious Powershell script with in the same directory named as quotefile.ps1.

After the execution of the LNK file it’s using Powershell.exe to load the  quotefile.ps1. Executed powershell code as follows : 

powershell.exe -ep bypass -file quotefile.ps1

The Malicious Powershell script “quotefile.ps1” used to execute the Bumblebee Malware itself as a DLL inside the memory of Powershell.exe, the same technique can be found in a open source project called PowerSploit, we identified that “quotefile.ps1” using Invoke-ReflectivePEInjection tool to load the Bumblebee binary in-memory. Since there is no disk write operation for Bumblebee DLL itself, this technique is used for the Anti Malware evasion. 

Malicious VHD Disk Used for Initial Attack Vector

Extracted VHD disk can be seen in the below picture, just like an ISO image , VHD disks also can be mounted by a user click , this feature is being abused by Threat Actors to store malware inside VHD disk.

Quote shortcut file (LNK) have Command Line to be executed after a user click  

Obfuscated Powershell Code Loads the Bumblebee DLL In-Memory 

First stage PowerShell loader – “quoutefile.ps1” 

Once it’s executed by the LNK file, “quoutefile.ps1” will hide the open PowerShell window and continue to running background on the victim machine, this action done by without  “-windowstyle hidden” PowerShell command line parameter, it have own function to hide the PowerShell windows to avoid Anti Malware detection.

PowerShell code snippet to hide open window.

The first powershell stage itself was designed to hide suspicious strings and evade static scanning by performing Obfuscation (Base64 and Gzip). Obfuscated code stored itself on “elem” variables, this can be seen in the image below.

 “Obfuscated” Gzip streams.

The code then iterates through the array of Gzip compressed streams, decompresses them, and forms the second stage of powershell code block which will then be executed by Invoke-Expression $dtPrEr.

Second stage is deobfuscated and executed.

Deobfuscation of Malicious Powershell Code 

We can easily deobsfacte this large chunk of encoded powershell code and get the second stage powershell code as deobfuscated by executing the slightly modified version of first stage on a Powershell_ISE, we need it to make some modifications on first stage powershell code to avoid being closed after the execution, simpilly we just need it delete the hide open window function  

 Slightly modified version of first stage Powershell Code.

Now we can execute the modified first stage powershell code to dump the $dtPrEr variable which contains deobfuscated second stage malicious code. 

Second stage PowerShell loader – Dumping $dtPrEr 

After deobfuscating, we can identify the second stage Powershell code that was being stolen from a open source project called PowerSploit’s Code Execution tool (“Invoke-ReflectivePEInjection.ps1”), it’s being used to load an executable binary without touching the disk by abusing Powershell.exe (Fileless in memory execution).

Second stage powershell script deobfuscated : 

Bumblebee DLL stored as hex format inside the second stage powershell code that is being used to execute the Bumblebee in memory.

Bumblebee malware samples have a very common export table called setPath to execute the malicious code, we can also see the DLL export table on deobfuscated powershell code.  

The image below shows the code similarities between the second stage PowerShell script present in the memory of “PowerShell.exe” and the Invoke-ReflectivePEInjection code from PowerSploit’s GitHub page.

Obfuscated Second stage PowerShell script.

Code similarities : 

From PowerSploit’s Github page.

Extracting the Bumblebee DLL (aswhook.dll)

We can extract the hexadecimal code on second stage powershell code to obtain Bumblebee DLL itself (aswhook.dll): 

We can examine the DLL’s Export Table, one of the most interesting one is “setPath”, this same function name being used on older versions of Bumblebee Loader and inside the second stage powershell script we saw the same function name being used to execute the DLL itself properly.  

Analysis of Bumblebee DLL (aswhook.dll)

Now we can use the disassembler to analyze the aswhook.dll. Our first finding is, Bumblebee Loader hiding their Import Table to minimize the detection rate from various Anti Malware scanners.

Hidden Windows APIs.

We can identified another EXE (MZ magic header) file that is stored inside same DLL, this is used to for Process Injection : 

After the execution of aswhook.dll (Bumblebee Loader), it will execute itself by Process Injection technique and then tries to make connections with multiple Command and Control servers that are controlled by the attacker. In order to extract these C2 Servers, we need an RC4 key because this config file is stored inside the Bumblebee Malware as encrypted.

Extraction of RC4 key is relatively simple because it’s stored as plain text :

Extracted Config File 

MITRE ATT&CK Techniques 

Technique Title	ID
Software Packing	T1027.002
User Execution	T1204
PowerShell	T1059
Process Injection	T1055
Obfuscated Files or Information	T1027
Virtualization/Sandbox Evasion	T1497
Query Registry	T1012
System Information Discovery	T1082
Security Software Discovery	T1518

Indicators of Compromise (IOC)

Command and Control Servers

14.31.207.132:22181.9.92.42:167119.76.18.11:355247.159.224.202:44432.19.91.214:38318.218.236.32:451108.65.214.104:154170.120.41.104:472210.95.71.224:141120.24.53.94:203202.135.147.121:12881.59.225.7:31586.229.107.229:32928.48.215.169:349147.85.196.182:247100.43.226.160:468147.59.173.194:351202.9.44.255:464254.156.153.57:20681.112.174.32:153165.228.28.34:12648.187.106.98:21463.7.147.87:10054.157.90.13:37080.56.30.22:278102.170.176.34:316103.172.94.128:216241.204.241.48:481173.117.142.235:35118.48.39.210:220172.93.201.138:4430.212.114.7:148187.71.226.52:115114.14.38.45:466116.142.140.251:443193.77.49.186:11595.133.40.44:306221.114.58.168:2421.146.75.40:49671.83.118.6:419219.210.137.136:398116.86.63.178:331249.111.238.184:4789.136.193.27:35143.175.39.52:4209.108.80.67:487211.69.230.142:413189.116.115.64:365197.42.198.180:4865.229.73.232:132156.188.10.159:458

SHA 256 – Samples

2102214c6a288819112b69005737bcfdf256730ac859e8c53c9697e3f87839f2

1285f03b8dbe35c82feef0cb57b3e9b24e75efabba0589752c2256a8da00ad85

0ff8988d76fc6bd764a70a7a4f07a15b2b2c604138d9aadc784c9aeb6b77e275

db91155087bd2051b7ac0576c0994e9fffb5225c26ea134cb2f38e819f385730

9bd9da44cc2d259b8c383993e2e05bbe1bcdac917db563b94e824b4b1628e87c

d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20

0b0a5f3592df7b538b8d8db4ba621b03896f27c9f112b88d56761972b03e6e58

ab1048c71efcacc37fe6d23c62e5799c85fa7376b3c467dff0d4ceb77341be5b