Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.
|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Account Control||
Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.
|Enterprise||T1560||Archive Collected Data||
Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell|
|.003||Command and Scripting Interpreter: Windows Command Shell|
|.005||Command and Scripting Interpreter: Visual Basic||
Bumblebee can create a Visual Basic script to enable persistence.
|Enterprise||T1132||.001||Data Encoding: Standard Encoding||
Bumblebee has the ability to base64 encode C2 server responses.
|Enterprise||T1005||Data from Local System||
Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|Enterprise||T1041||Exfiltration Over C2 Channel|
Bumblebee can use backup C2 servers if the primary server fails.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
Bumblebee can uninstall its loader through the use of a
|Enterprise||T1105||Ingress Tool Transfer||
Bumblebee can download and execute additional payloads including through the use of a
|Enterprise||T1559||.001||Inter-Process Communication: Component Object Model||
Bumblebee can use a COM object to execute queries to gather system information.
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.
|Enterprise||T1027||Obfuscated Files or Information||
Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
Bumblebee has gained execution through luring users into opening malicious attachments.
|.002||Phishing: Spearphishing Link||
Bumblebee has been spread through e-mail campaigns with malicious links.
Bumblebee can identify processes associated with analytical tools.
Bumblebee can inject code into multiple processes on infected endpoints.
|.001||Dynamic-link Library Injection||
The Bumblebee loader can support the
|.004||Asynchronous Procedure Call||
Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.
Bumblebee can use
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery||
Bumblebee can identify specific analytical tools based on running processes.
|Enterprise||T1218||.008||System Binary Proxy Execution: Odbcconf||
Bumblebee can use
|.011||System Binary Proxy Execution: Rundll32||
Bumblebee has used
|Enterprise||T1082||System Information Discovery||
Bumblebee can enumerate the OS version and domain on a targeted system.
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1204||.001||User Execution: Malicious Link||
Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.
|.002||User Execution: Malicious File||
Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.
Bumblebee has the ability to perform anti-virtualization checks.
Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.
|.003||Time Based Evasion||
Bumblebee has the ability to set a hardcoded and randomized sleep interval.
Bumblebee has been downloaded to victim's machines from OneDrive.
|Enterprise||T1047||Windows Management Instrumentation||
Bumblebee can use WMI to gather system information and to spawn processes for code injection.