Some of the function for the analyzed sample is similar with the one mentioned in SentinelOne blog. The difference might be additional anti-debug checks and obfuscation.
Sample here from abuse.ch
Overall here are the Bumblebee’s general behavior that I’m able to find.
- Anti-debug using al-khaser library
- Decode c2 using RC4
- Gathering victim information
- Using pipe to redirect input/output from CMD to malware itself
- Connect to c2 using connect + WSASend + WSARecv (with Boost HTTP function)
- Load DLL into 3 selected process using DLL process injection
- Re-execute itself via wscript
- Self delete through powershell
Before that, we need to go through the packer will create a new .text section and dump the real payload into it using NT function, then redirect the execution into it.
Anti-debug
Various anti-analysis technique implemented as what found in al-khaser.
Thread that constantly check for analysis tools process, which also based on al-khaser.
Decoding RC4 bytes
Decoding list of c2 and other important strings such as group id using RC4 with hard coded key.
Gathering victim information
Connect to c2
Send HTTPS request to rc4 decrypted c2 with connect and WSASend combo and received the next stage payload from the c2 via WSARecv. Those WinAPI are called from Boost API and the implementation is similar with the code here. You can try to compile the sample code and compare with the code in the malware itself 😉
User-Agent string generated by randomizing the index of [A-z0–9] array with ISAAC pseudo rng. The decompiled ISAAC pseudo rng implementation can be found in this gist.
After downloading the payload from c2, it will perform various task in where you can see some Task, Tasks, TaskData and TaskId (just my assumption) which is based on the response data. It is notable that most the action are executed via COM WMI as you can see some CoCreateInstance with the following keywords in the screenshot below:
You can get more explanation on process spawning via COM WMI in my previous blog.
Redirect Pipe I/O for cmd.exe
Its quite interesting they redirect the I/O for cmd.exe, probably they want to be more stealthy in this case. Since it will create a cmd.exe without any parameters. Anyway, the executed cmd command will shows the full executed command and it also have parent-child relationship with its initiator. Btw, It will be great it this combines with parent spoofing technique 👹
Here is the code snippet of my simple implementation in c++.
DLL Process Injection
DLL process injection using NtMapViewSection, NtCreateSection, NtQueryResumeThread and there is a list of targeted process to be injected into.
Self re-execute
Create a .vbs file in %appdata% and then re-execute itself via COM WMI create process.
Self delete
Spawn a powershell to remove itself via COM WMI create process.
Extra:
It is good to notice that the Bumblebee payload is delivered from ISO file that contains 1 .lnk 1 hidden .dll file. The .dll will be execute by .lnk with its target command. It is quite uncommon nowadays since most of the threat actor still prefer using Macro VBA for their payload delivery.
This might due to Microsoft announced to block internet vba macro in February this year.
