Bumblebee is a malware loader first discovered in March 2022. It was associated with Conti group and was being used as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including ransomware.
IcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at least 2017 and has recently been observed shifting some of its focus to malware delivery.
Bumblebee’s primary modus operandi, including its most recent major campaign, involves a PowerShell-based first stage with very characteristic obfuscation (“elemXXX”). This serves as a wrapper and loading routine for an embedded 64-bit payload .DLL. Our analysis of this flow can be found here.
IcedID – From Banker to Loader?
Once de-obfuscated, the dropper is surprisingly simple. It consists of a single function, “exec,” which gets four parameters:
- “UserAgent” – The user-agent string to be used when downloading Bumblebee’s .DLL
- “URL1” – First address to download from
- “URL2” – Second address to download from
- “RunDLL” – Payload .DLL exported function to call
When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe. If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe.
The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat
The function is then called twice, with four separate URLs:
The retrieved payloads are generated pseudo-randomly “on-demand” which results in a new sample hash each time a payload is fetched. This is commonly done to avoid signature-based detection. However, in Bumblebee’s case, this seems somewhat ineffective compared to the previous flow (which did not write the payload directly to disk), as the samples are fairly well detected even on “first-seen”. This is likely due to the generated payload’s exports and several other indicators which remain constant and do not vary across the different generated samples.
According to Virus Total, on “first-seen” PindOS droppers have mostly received very low detection rates:
Bumblebee DLL Payload Analysis Highlights
The DLL payload is slightly different from the one previously encountered. Dynamically, it is very similar, with the addition of a few layers of obfuscation. It’s anti-debugging and anti-VM/sandbox features remain the same but with some additional “legitimate looking” strings taken from the FFmpeg project open-source project’s “error.c” file and a few other files from the same project added for distraction purposes:
Another point of differentiation is that previously Bumblebee DLLs had two main export functions, while the new one has four.
Further examination of the DLL brings us to the same main function as the previous variant.
Bumblebee’s latest “experiment” attempts to leverage pseudo-random sample generation as a means of reducing the risk of detection. This has been used by threat actors in the financial/banking malware landscape for years, including IcedID, which “shares” the PindOS dropper.
Whether PindOS is permanently adopted by the actors behind Bumblebee and IcedID remains to be seen. If this “experiment” is successful for each of these "companion” malware operators it may become a permanent tool in their arsenal and gain popularity among other threat actors.
Bumblebee infection URLs
Bumblebee .JS dropper SHA256
Bumblebee DLL payload SHA256
IcedID infection URLs
IcedID .JS dropper SHA256
IcedID DLL payload SHA256
|System Binary Proxy Execution: Rundll32 – T1218.001
|Adversaries may abuse rundll32.exe to proxy execution of malicious code.
|Obfuscated Files or Information – T1027
|Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
|Obfuscated JS, “Random” generated payloads