BumbleBee Malware

Security researchers report on malicious activity associated with the distribution of BumbleBee malware traced back to the initial access broker (IAB) dubbed Exotic Lily. Research data suggest that adversaries use the file transfer tools such as TransferXL, TransferNow, and WeTransfer, to spread BumbleBee malware. The malware is used to launch Cobalt Strike attacks.

Detect BumbleBee Malware

To help organizations better protect their infrastructure, our keen Threat Bounty developers Nattatorn Chuensangarun and Osman Demir have recently released a set of dedicated Sigma rules that enable swift BumbleBee malware detection. Security teams can download these rules from SOC Prime’s Detection as Code platform:

Possible BumbleBee Malware Use in EXOTIC LILY Campaign (via process_creation)

Possible Bumblebee Malware Execution by TransferXL URLs in EXOTIC LILY Campaign (via process access)

Suspicious Bumblebee Malware (May 2022) Defense Evasion by Loading DLL with Rundll32 (via cmdline)

The rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Initial Access and Defense Evasion tactics with Phishing (T1566), Process Injection (T1055), and Signed Binary Proxy Execution (T1218) as the primary techniques.

Hit the View Detections button to see the full list of Sigma rules to detect the BumbleBee malware infection . All rules are mapped to the MITRE ATT&CK framework, thoroughly curated and verified. Are you eager to craft your own Sigma and YARA rules to make the world safer? Join our Threat Bounty Program to get recurrent rewards for your valuable input!

View Detections Join Threat Bounty

BumbleBee Malware Analysis

The threat landscape has recently acquired a new piece of malware, tagged BumbleBee. BumbleBee is a loader written in C++, mainly consisting of a single function that handles initialization, response handling, and request sending. When the malware is launched on a compromised device, it gathers the victim’s data, communicating it to the C2 server. The malware is used to fetch and run additional malicious payloads, such as Cobalt Strike, Sliver, and Meterpreter.

Researchers suggest that behind the spread of BumbleBee malware stands an IAB tracked as Exotic Lily. The threat group is associated with the activities of Russia-linked adversaries known as the Conti Group.

There are different ways to distribute BumbleBee, yet in the latest campaign adversaries have been spotted misusing legitimate file transfer services. BumbleBee Malware infection flow is as follows: the malware gets on a targeted device as part of a weaponized zip archive. The zip file contains an ISO disk image. When the victim runs this file, it mounts as a DVD drive. A visible Windows shortcut and a malware DLL for BumbleBee are included in the ISO file.

To timely detect this and other emerging threats, leverage the benefits of collaborative cyber defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail accurate and timely detections delivered by seasoned professionals from around the world to boost your SOC team’s operations and security posture.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts