Bumblebee Malware Active Directory Services Exploit
Malware Loader Known as Bumblebee
The malware loader known as Bumblebee has seen an increased use by threats actors such as, BazarLoader (Windows based malware), TrickBot (banking trojan), and IcedID (modular banking trojan). Bumblebee was first discovered in March 2022 by Google’s Threat Analysis Group (TAG). The most common method for delivering the exploit was through spear-phishing campaigns. Originally the Bumblebee malware used macro-laced documents for the exploit. However, this has since been changed due to Microsoft’s decision to block macros by default. Microsoft made this decision due to macros being a common method ransomware and malware would use. Instead of using macros, the Bumblebee malware now uses an ISO file and a Windows shortcut (LNK) file. A normal attack using the Bumblebee malware will look like this:
- Phishing Email is sent to victim with attachment to Bumblebee loader
- Victim will extract the archive and mount the ISO image file
- Victim will then launch the LNK file
- LNK file will then allow for persistence, privilege escalation, reconnaissance, and credential theft
Upon gaining elevated privileges, the attacker will then deploy Cobalt Strike on the target which will allow them to move laterally across the network. To maintain persistence, the AnyDesk remote desktop software is deployed on the target.
The most recent example of this attack being done resulted in credentials of a highly privileged user being stolen and subsequently being used to take control of an Active Directory and obtaining a copy of the
ntds.dit file with data for the entire Active Directory.
The main delivery point for this malware is using phishing techniques, primarily spear-phishing. This technique emphasises the need to get the basics right in your cyber security posture. Spear phishing is when an attacker crafts a very targeted email to trick that victim into performing a set of actions, such as downloading and running malware. In 2021, approximately thirty percent of all phishing emails were opened, with a total of around forty-two percent of employees admitting to having clicked on a malicious link or downloading a file. To improve in this area, staff should be trained to spot the key attributes of a phishing email, such as, email is giving a sense of urgency, and emails requiring you to provide sensitive information (credentials). If an email asks for you to click on a link, then it would be better to browse to the link by using a known trusted URL, than the one provided in the email. Zip files containing files that you were not expecting to receive should not be opened and should be reported.
Iranian-backed threat group targeting Israeli shipping
Mandiant has reportedly identified evidence of the cybercriminal threat group UNC3890 (Uncategorized threat 3890) targeting the shipping, aviation, healthcare, and energy sectors of Israel over the course of 2022. Mandiant has assessed with moderate confidence that threat actor UNC3890 is linked to Iran, which would hint to the motivation of the group in targeting Israeli infrastructure. The threat actor is believed to be focused on intelligence collection, which could be leveraged to facilitate further kinetic warfare attacks as part of the ongoing conflict between the two nation states.
As part of the recently recorded attack campaign from UNC3890, attackers utilised standard entry vectors such as email phishing campaigns and other social engineering methods.
Former minister of justice and minister of foreign affairs, Tzipi Livni was one of the campaign’s targets. According to information released by Check Point, Livni received a phishing email from the compromised email address of a former senior official in the Israeli Defence Forces. By leveraging the implicit trust gained from utilising a colleague’s real email address, the attackers were orchestrating an effective spear phishing attempt. Livni became suspicious as to why her supposed colleague was insisting that she opened a document using her email password and confirmed that the messages were malicious once she discussed the matter in-person with the email’s owner.
Traces of malicious activity from UNC3890 have been recorded since at least 2020, although no activity was identified that targeted entities outside of Israel.
Mandiant has uncovered several UNC3890 controlled domains masquerading as legitimate services which are being used to harvest user credentials. An ensemble of these phishing domains included
After gaining initial access, UNC3890 utilises a broad toolset to gain further access into the adjacent network and control the victim’s environment, including two in-house tools referred to by Mandiant as SUGARUSH and SUGARDUMP.
SUGARUSH is a custom backdoor that establishes a reverse TCP shell from the compromised victim’s device to a hardcoded Command and Control (C2) address. Communication between the C2 endpoint and the victim machine is carried out over the internet via port 4585.
SUGARDUMP is a custom tool used for harvesting credentials from Chrome, Opera, and Edge Chromium browsers. The script accesses the directory path of the browser on the victim’s machine and collects data from the folders
\\Default\\Login Data and
\\Login Data, as well as any other folders that contain the string
Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant
Suspected Iranian Hackers Targeted Ex-Israeli Officials – Bloomberg
Iran-backed threat group targeting Israeli shipping, says analyst | Cybernews