Link directory

Bumblebee attacks, from initial access to compromised Active Directory servicesSecurity Affairs

Hackers use the Bumblebee loader to compromise Active Directory services as part of post-exploitation activities.

The Cybereason Global Security Operations Center (GSOC) team analyzed a cyberattack involving the Bumblebee Loader and detailed how the attackers were able to compromise the entire network.

Most Bumblebee infections are started by users running LNK files that use a binary system to load the malware. The malware is distributed via phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee.

After the initial run, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft.

Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.

Bumblebee has been active since March 2022, when it was spotted by Google’s Threat Analysis Group (TAG). Experts have noticed that cybercriminal groups that previously used BazaLoader and IcedID in their malware campaigns have switched to Bumblebee loader.

“Cybereason GSOC has observed threat actors move from BazarLoader, Trickbot, and IcedID to Bumblebee, which appears to be in active development and generally the loader of choice for many threat actors.” reads the analysis published by Cybereason. “Bumblebee operators use the Cobalt Strike framework throughout the attack. Threat actors use the obtained credentials to gain access to Active Directory and make a copy of ntds.dit containing data for all Finally, a domain administrator account is used to move laterally, create local user accounts and exfiltrate data using Rclone software.

In the attack analyzed by Cybereason, threat actors used the stolen credentials of a highly privileged user to gain access to the Active Directory and compromise the target network.

“Bumblebee accesses remote Active Directory machines using the Windows Management Instrumentation (WMIC) command-line utility and creates a shadow copy using the vssadmin command. Additionally, the attacker steals the ntds file .dit from the domain controller. The ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. The file also stores word hashes password for all users in the domain continues the analysis.

Experts noted that the time from initial access to Active Directory compromise was less than two days.

GSOC experts warn that attacks involving Bumblebee should be treated as critical. The attack chain they analyzed allows threat actors to spread their ransomware into compromised networks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, malware)