Today’s Cybersecurity Threat advisory discusses the update to the popular Bumblebee malware loader that increases its defense evasion capabilities. The loader is commonly distributed via “.lnk” (softlink/shortcut) files attached to an email or compressed in a .zip archive attached to an email. Once installed, the loader allows attackers to deploy their desired payload onto affected systems. CSB recommends blocking the domain webdav.4shared[.]com if not legitimately used by the organization and educate users on the latest phishing tactics.
What is the threat?
The Bumblebee loader does not perform any exploits or do any harm on its own, rather it acts as a loader or entry-point for other malware. Bumblebee establishes itself when a user opens an infected “.lnk” file which threat actors commonly distribute through phishing emails. The phishing emails pretend to be invoices, notifications, or scans with an attachment that contains “.lnk” file or a .zip archive containing the “.lnk” file.
New to the updated version of Bumblebee, is the use of Web Distributed Authoring and Versioning (WebDAV). WebDAV is an extension of HTTP that allows users to collaboratively create, access, and manage web server files. The purpose of WebDAV in the context of Bumblebee is that it allows the loader to install without being noticed by behavioral detection systems.
The “.lnk” files contain scripts that use WebDAV to connect to webdav.4shared[.]com using pre-configured credentials. 4Shared is a file hosting website users can upload the Bumblebee loader. The loader is then installed from 4shared onto the target computer.
In the previous versions of the Bumblebee malware, the loader used hardcoded C2 addresses. This current version uses a domain generation algorithm (DGA) to create a list of 100 domains on the “.life” top-level domain (TLD) to connect with a C2 server IP address.
Why is it noteworthy?
Using phishing email campaigns, threat actors can easily lure victims to open this loader and potentially upload ransomware and/or use it for data exfiltration. The updated loader has several variations in its tactics and techniques, optimized to avoid detection.
What is the exposure or risk?
As a malware loader, Bumblebee can be used to install any kind of malware, including ransomware. As such, the installation of a malware loader should be considered a critical security risk. Additionally, the installation of the loader may not cause immediate suspicion to the user, as no symptoms will be observed from the loader alone. This allows attackers to begin deploying their payload undetected.
What are the recommendations?
- If 4shared is not used within your organization, block the domain webdav.4shared.com
- Block the following C2 domains that have been observed to have been successfully contacted by the loader:3v1n35i5kwx[.]lifecmid1s1zeiu[.]lifeItszko2ot5u[.]lifenewdnq1xnl9[.]life
- Educate employees on the importance of phishing awareness and general security hygiene.