Bumblebee Being Distributed in Korea Through Email Hijacking

The ASEC analysis team has recently discovered the active distribution of Bumblebee, a downloader type malware. It is distributed using phishing emails in ISO file, and this file contains a shortcut and malicious DLL file. There were also cases of malware being distributed to Korean users through email hijacking.

The image below shows phishing emails distributing Bumblebee. They hijacked normal emails and were sent to users as replies with malicious attachments. Users who receive the email may open the attachment thinking that it is a normal reply, therefore, caution is advised. Other phishing emails are also being distributed using the email hijacking method. Phishing emails may also include malicious URLs to prompt users to download files. This method uses Google Drive for the distribution.

Phishing email

Phishing email (2)

The compressed file attached to the phishing email is locked with a password that is included in the email. The attachment is disguised as an invoice or request, containing an ISO file.

Inside the compressed file

Inside the compressed file (2)

The ISO file creates lnk and DLL file in the DVD drive when it is run. The lnk file loads certain functions of the malicious DLL file created by rundll32.exe. The hidden DLL file is the file that actually performs malicious behaviors. Since users with computers that do not show hidden files only see the lnk file, it is likely that they will run it without realizing another file is hidden.

  • lnk command
    %windir%\system32\rundll32.exe neval.dll,jpHgEctOOP
Malicious files created upon running the ISO file

lnk properties

A recently discovered ISO file is added with a bat file. It performs the same features as the previous lnk file. In this case, the command for the lnk file is changed to run the bat file. Like previous cases, both DLL and bat files are hidden, meaning that users are likely to see only the lnk file.

  • lnk command
    %windir%\system32\cmd.exe /c start requestpdf.bat
  • bat command
    @start rundll32 da4nos.dll,ajwGwRKhLi
Recent case with the bat file added

lnk properties

The malicious DLL executed through the lnk file is packed. After the DLL is unpacked, it goes through multiple anti-sandbox and anti-analysis techniques. The images below show a part of the various processes. The code checks if programs used for analyzing malware are run, files used in the virtual environment exist, or the MAC address matches those of certain manufacturers. It also checks registry values, Windows screen name, device, user name, certain APIs, etc. to check if it is on a virtual environment or under analysis.

Checking processes

Checking files

Checking MAC address

The file performs malicious behaviors after going through the processes mentioned above. It first decodes the encoded data to obtain information about multiple C2s. Then it collects the user PC information to connect to C2 and send data.

  • Decoded C2s
    73.214.29[.]52:443, 78.112.52[.]91:443, 21.175.22[.]99:443, 107.90.225[.]1:443, 212.114.52[.]46:443, 101.88.16[.]100:443, 19.71.13[.]153:443, 108.16.90[.]159:443, 103.175.16[.]122:443, 121.15.221[.]97:443, 19.71.13[.]153:443, 22.175.0[.]90:443, 19.71.13[.]153:443, 146.19.253[.]49:443, 38.12.57[.]131:443, 191.26.101[.]13:443
Decoded C2s

While the C2s cannot be accessed currently, the attacker can let the file perform the following behaviors if the access is possible: copy malicious DLL as “my_application_path” in the %APPDATA% folder and creates a vbs file that runs the copied DLL, inject malicious data to normal programs, save malicious data sent from the C2 as “wab.exe” and run it, etc.

  • Programs targeted for injection
    \\Windows Photo Viewer\\ImagingDevices.exe
    \\Windows Mail\\wab.exe
    \\Windows Mail\\wabmig.exe

The distribution of Bumblebee has greatly increased recently. There are also cases of the downloader downloading malicious data such as Cobalt Strike. As the cases of email hijacking to distribute the malware were found, users need to take caution. It is advised that the users should refrain from opening attachments or accessing URLs within emails. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.

[File Detection]
Dropper/Win.DropperX-gen.C5154946 (2022.06.02.02)
Trojan/Win.BumbleBee.R497004 (2022.06.11.01)
Dropper/ISO.Bumblebee (2022.06.13.02)
Trojan/BAT.Runner (2022.06.13.02)
Trojan/LNK.Runner (2022.06.13.02)

[IOC]
11999cdb140965db45055c0bbf32c6ec
b7936d2eed4af4758d2c5eac760baf1d
e50fff61c27e6144823dd872bf8f8762
2c9a4291387fd1472081c9c464a8a470
bfa053445bc5d2950aebaeb881aa8fb4

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
2 Comments
Inline Feedbacks
View all comments
trackback

[…] in the form of an ISO file, which contains a shortcut and a malicious DLL file. According to researchers Bumblebee was recently distributed to Korean users via email hijacking in certain […]