Tech Support
Documentation
Login
Contact Us
Bumblebee Malware Attacks: WebDAV Threat Unveiled
Wajahat Raja
October 3, 2023 - TuxCare expert team
The frightening Bumblebee malware attacks have made a forceful return in the realm of cybersecurity, posing a major threat to organizations’ digital security. Following a brief absence, this renowned loader has reappeared with improved strategies, raising alarms across the cybersecurity sector and placing a huge emphasis on recovering from ransomware attacks.
A Change in Bumblebee’s Strategy
Bumblebee’s mode of operation has lately changed, according to Intel 471 Malware Intelligence. Instead of relying on static command and control servers, this malware now includes a Domain Generation Algorithm (DGA), increasing its resistance to detection.
The Ongoing Evolution of the Bumblebee
On September 1, 2023, a new version of the Bumblebee loader with substantial architectural modifications was released. For communication, it switched from the WebSocket protocol to a proprietary Transmission Control Protocol (TCP). It also used a Domain Generation Algorithm (DGA) to generate 100 new domains with the “.life” top-level domain (TLD). This change increased complexity while decreasing dependency on static command and control services.
The WebDAV Connection
On September 7, 2023, cybersecurity specialists discovered a new wave of Bumblebee activity by utilizing Web Distributed Authoring and Versioning (WebDAV) servers. Threat actors used malicious spam emails as delivery mechanisms in this campaign. These emails included Windows shortcut (.LNK), and compressed archive (.ZIP) files that, when activated, started the malware download from WebDAV servers.
Domains Uncovered
Bumblebee malware targets four domains that were found in the observed WebDAV campaign, with the fourth domain successfully resolved and contacted:
- 3v1n35i5kwx[dot]life
- cmid1s1zeiu[dot]life
- Itszko2ot5u[dot]life
- newdnq1xnl9[dot]life
This evolution of the Bumblebee loader demonstrates a coordinated attempt by threat actors to improve evasion strategies and network resilience. The use of 4shared’s WebDAV services as a distribution technique introduces a new attack vector.
Bumblebee Malware Attacks and Rise to Notoriety
Bumblebee rose to prominence as a loader, swiftly becoming the weapon of choice for threat actors formerly linked to BazarLoader. Its relationship with ransomware payloads like Cobalt Strike, Metasploit, and Sliver highlights its potency.
The connection between Bumblebee and threat actors associated with Conti and Trickbot activities emphasizes its strategic importance in the world of cybercrime. One threat actor even attempted to use Bumblebee in a malicious advertising campaign targeting business users in the United States, demonstrating its attractiveness among cyber criminals.
WebDAV: A Familiar yet Potent Tool
Threat actors used 4shared WebDAV services as their preferred distribution mechanism in this current campaign. 4shared is a file-hosting service that allows users to upload and download files via a web interface and the Bumblebee malware WebDAV protocol. WebDAV, which is well-known for facilitating remote file management, provides a handy entry point for cyber attackers.
Deceptive Email Lures
In the Bumblebee malware campaign, malevolent actors employed deceptive spam emails disguised as various documents, including scans, notifications, and invoices. Most of the observed samples were distributed as .LNK files. Upon execution, these .LNK files triggered the Windows command processor, which executed predefined commands.
The first command involved the mounting of a network drive to a WebDAV folder, located at “https://webdav.4shared[dot]com,” using specific authentication credentials. Malevolent actors used false spam emails disguised as various documents, such as scans, notices, and bills, in the Bumblebee malware organizations. The attachments in these emails were intriguing, with filenames like “scan-document_2023(383).lnk” and “invoice-07september_2023(231).lnk.”
Variations in Attack Methods
A comprehensive investigation of the Bumblebee malware attack showed differences in command settings between samples. Following the network drive’s mounting, the following commands varied based on the sample. Some used “expand” to extract files, while others used “replace.exe” as an alternative option. The methods for executing these files differed as well, with the employment of processes such as “wmic.exe,” “conhost.exe,” and “schtasks.”
This move is cause for concern, given Bumblebee’s previous involvement in the distribution of ransomware payloads such as Conti and Akira. The adoption of a more efficient and elusive distribution method, combined with DGA usage, makes mapping Bumblebee’s infrastructure, blocking its domains, and disrupting its activities increasingly difficult.
Intel 471 advises blocking known malicious URLs related to this campaign, as well as closely monitoring command line event logs for any unusual activity.
Conclusion
Organizations must be attentive in their cybersecurity efforts as the Bumblebee virus advances and adapts. The use of WebDAV servers as a method of distribution emphasizes the significance of comprehensive security measures, proactive threat detection, and ongoing monitoring to protect against emerging Bumblebee malware cyber threats.
The sources for this piece include articles in Bleeping Computer and GBHackers.
