The ASEC analysis team has recently discovered the active distribution of Bumblebee, a downloader type malware. It is distributed using phishing emails in ISO file, and this file contains a shortcut and malicious DLL file. There were also cases of malware being distributed to Korean users through email hijacking.
The image below shows phishing emails distributing Bumblebee. They hijacked normal emails and were sent to users as replies with malicious attachments. Users who receive the email may open the attachment thinking that it is a normal reply, therefore, caution is advised. Other phishing emails are also being distributed using the email hijacking method. Phishing emails may also include malicious URLs to prompt users to download files. This method uses Google Drive for the distribution.
The compressed file attached to the phishing email is locked with a password that is included in the email. The attachment is disguised as an invoice or request, containing an ISO file.
The ISO file creates lnk and DLL file in the DVD drive when it is run. The lnk file loads certain functions of the malicious DLL file created by rundll32.exe. The hidden DLL file is the file that actually performs malicious behaviors. Since users with computers that do not show hidden files only see the lnk file, it is likely that they will run it without realizing another file is hidden.
- lnk command
A recently discovered ISO file is added with a bat file. It performs the same features as the previous lnk file. In this case, the command for the lnk file is changed to run the bat file. Like previous cases, both DLL and bat files are hidden, meaning that users are likely to see only the lnk file.
- lnk command
%windir%\system32\cmd.exe /c start requestpdf.bat
- bat command
@start rundll32 da4nos.dll,ajwGwRKhLi
The malicious DLL executed through the lnk file is packed. After the DLL is unpacked, it goes through multiple anti-sandbox and anti-analysis techniques. The images below show a part of the various processes. The code checks if programs used for analyzing malware are run, files used in the virtual environment exist, or the MAC address matches those of certain manufacturers. It also checks registry values, Windows screen name, device, user name, certain APIs, etc. to check if it is on a virtual environment or under analysis.
The file performs malicious behaviors after going through the processes mentioned above. It first decodes the encoded data to obtain information about multiple C2s. Then it collects the user PC information to connect to C2 and send data.
- Decoded C2s
73.214.29[.]52:443, 78.112.52[.]91:443, 21.175.22[.]99:443, 107.90.225[.]1:443, 212.114.52[.]46:443, 101.88.16[.]100:443, 19.71.13[.]153:443, 108.16.90[.]159:443, 103.175.16[.]122:443, 121.15.221[.]97:443, 19.71.13[.]153:443, 22.175.0[.]90:443, 19.71.13[.]153:443, 146.19.253[.]49:443, 38.12.57[.]131:443, 191.26.101[.]13:443
While the C2s cannot be accessed currently, the attacker can let the file perform the following behaviors if the access is possible: copy malicious DLL as “my_application_path” in the %APPDATA% folder and creates a vbs file that runs the copied DLL, inject malicious data to normal programs, save malicious data sent from the C2 as “wab.exe” and run it, etc.
- Programs targeted for injection
\\Windows Photo Viewer\\ImagingDevices.exe
The distribution of Bumblebee has greatly increased recently. There are also cases of the downloader downloading malicious data such as Cobalt Strike. As the cases of email hijacking to distribute the malware were found, users need to take caution. It is advised that the users should refrain from opening attachments or accessing URLs within emails. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.