Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
September 22, 2022 - TuxCare expert team
A new version of the Bumblebee malware loader has been discovered by researchers. The new strain of malware offers a new chain of infection, including the use of a PowerScript framework for stealthy reflective injection of a DLL payload into memory.
Unlike in the past, when it reached victims via e-mails containing password-protected zipped USO files, the new variant uses a VHD (Virtual Hard Disk) file instead of the ISO file. The new VHD file contains a LNK shortcut file.
Instead of running Bumblebee (DLL) directly, the LNK now executes “imageda.ps1,” which starts a PowerShell window and hides it from the user by abusing the ‘ShowWindow’ command. The SP1 script is obfuscated using Base64 and string concatenation to evade AV detection while loading the second stage of the PowerShell loader.
For the second stage of the infection, a similar disguise tactic is used as the first. This tactic includes the PowerShell module which is used to load the 64-bit malware into the memory of the PowerShell process through reflective injection.
“PowerSploit is an open source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system,” Cyble explains in the report.
The new chain of infection allows Bumblebee to load from memory and never touch the hard drive of the computer, minimizing the chances of being detected and stopped by antivirus tools. Increasing its stealthiness also provides the malware loader with a stronger initial access threat and increases its chances of enticing ransomware and malware operators.
The sources for this piece include an article in BleepingComputer.
Learn About Live Patching with TuxCare
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...
Bitdefender experts have created a universal decryptor for victims of...
Tech Support
Documentation
Login
Contact Us