Episode 16: May 02 2022

New Malware Loader ‘Bumblebee’ in the Wild, Hackers Exploit Critical Vulnerability in VMware to Install Malware, Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector, Emotet is back with some new tricks

Bullet points of key topics + chapter markers
[00:29] New Malware Loader ‘Bumblebee’ in the Wild
[07:31] Hackers Exploit Critical Vulnerability in VMware to Install Malware
[11:32] Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector
[15:56] Emotet is back with some new tricks






New Malware Loader ‘Bumblebee’ in the Wild

  • Cybercriminal actors previously observed delivering BazaLoader and IcedID
    • have transitioned to a new loader called Bumblebee
      • under active development.
    • if not a direct replacement for BazaLoader, then a new, multifunctional tool used by actors that historically favored other malware
  • Campaigns distributing the new highly sophisticated loader are said to have commenced in March 2022
    • possibility that the loader could act as a precursor for ransomware attacks
  • Features
    • anti-virtualization checks
    • It is written in C++
    • is engineered to act as a downloader
      • retrieve and executing next-stage payloads
        • Cobalt Strike
        • Sliver
        • Meterpreter
        • shellcode.
  • increased detection of the malware loader in the threat landscape
    • corresponds to a drop in BazaLoader deployments
    • Since February 2022
      • another popular loader
        • used for delivering file-encrypting malware
    • developed by the now-defunct TrickBot gang
      • which has since been absorbed into Conti.
  • First Attack Wave
    • Have taken the form of DocuSign-branded email phishing
      • fraudulent links
      • HTML attachments
      • leading potential victims to a compressed ISO file hosted on Microsoft OneDrive.
      • embedded URL in the HTML attachment
        • use a traffic direction system (TDS) dubbed Prometheus
          • which is available for sale on underground platforms for $250 a month
          • redirect the URLs to the archive files based on the time zone and cookies of the victims.
    • The ZIP files
      • include .LNK and .DAT files
        • Windows shortcut file
          • executing the the Bumblebee downloader
          • before using it to deliver BazaLoader and IcedID malware.

  • Second campaign in April 2022
    • thread-hijacking scheme
      • legitimate invoice-themed emails were taken over to send zipped ISO files
        • which were then used to execute a DLL file to activate the loader
    • abuse of the contact form present on the target’s website
      • claiming copyright violations of images
        • pointing the victim to a Google Cloud Storage link
          • the download of a compressed ISO file
          • continuing the infection sequence.
  • BazarLoader to Bumblebee
    • likely initial access brokers who infiltrate targets
      • then sell that access to others
    • development coincides with Conti taking over the infamous TrickBot botnet
      • shutting it down to focus on the development of BazaLoader and Anchor malware.
    • Not clear if Bumblebee is the work of TrickBot actors
      • maybe leaks prompted the gang to abandon BazaLoader
      • includes Trickbot’s web-inject module
        • use of the same evasion technique
        • possiblysuggesting that the actors behind Bumblebee have access to TrickBot’s source code.
  • Sherrod DeGrippo
    • vice president of threat research and detection at Proofpoint
    • “The introduction of the Bumblebee loader to the crimeware threat landscape and its apparent replacement for BazaLoader demonstrates the flexibility threat actors have to quickly shift TTPs and adopt new malware,”
      • TTP: tactics, techniques, and procedures

Hackers Exploit Critical Vulnerability in VMware to Install Malware

  • researchers at Morphisec have discovered recently a critical RCE vulnerability in VMware Workspace ONE Access
    • is being actively exploited by advanced hackers
  • this critical flaw has been tracked as CVE-2022-22954
    • wild exploits of CVE-2022-22954 confirmed by VMware
    • used with two other known RCEs
    • CVE-2022-22957 and CVE-2022-22958
      • was addressed in a security update 20 days ago.
      • two RCEs also affect the following VMware products:
        • VMware Identity Manager (vIDM)
        • VMware vRealize Automation (vRA)
        • VMware Cloud Foundation
        • vRealize Suite Lifecycle Manager
      • several proofs of concept (POC) exploit codes that were publicly available shortly after the flaws were publicly disclosed. 
  • Attack Chain
    • exploit CVE-2022-22954
      • are able to access the network environment initially
        • does not require administrative access to the target server and the latter has a public demonstration exploit as well.
    • attack begins by launching a stager with a PowerShell command on the vulnerable service (Identity Manager).
    • Then a highly obfuscated PowerTrash loader is downloaded from the C2 server
      • Core Impact agent is loaded into memory.
  • Morphisec have managed to retrieve the following things and elements:-
    • Stager server’s C2 address
    • The Core Impact client version
    • The 256-bit encryption key used for C2 communication
  • One of the companies listed in the database is allegedly an internet hosting company that supports illegal websites used as bait in spam and phishing campaigns.


Disclaimer: I am not personally an investigator, Ivan Neculiti nor Stark Industries has not been found guilty of any crimes, and this information comes from “Severe VMware RCE Vulnerability Exploited by Hackers For Installing Backdoors

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

  • A Chinese-aligned cyberespionage group
    • has been observed striking the telecommunication sector in Central Asia
      • versions of malware such as ShadowPad and PlugX
  • PlugX and ShadowPad
    • well-established history of use among Chinese-speaking threat actors primarily for espionage activity,
    • ShadowPad, labeled a “masterpiece of privately sold malware in Chinese espionage,” emerged as a successor to PlugX in 2015
  • SentinelOne
    • Attribute to “Moshen Dragon”
    • tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).
  • Secureworks
    • attributed distinct ShadowPad activity to Chinese nation-state groups
      • that operate in alignment with the
        • Chinese Ministry of State Security (MSS) civilian intelligence agency
        • the People’s Liberation Army (PLA).
  • Moshen Dragon’s TTPs
    • involve the abuse of legitimate antivirus software
      • BitDefender, Kaspersky, McAfee, Symantec, Trend Micro
        • sideload ShadowPad, and Talisman on compromised systems
        • technique called DLL search order hijacking.
        • the hijacked DLL is used to decrypt and load the final ShadowPad or PlugX payload
          • that resides in the same folder as that of the antivirus executable.
        • Persistence is achieved by either creating a scheduled task or a service.
  • DLL Search Order Hijacking
    • Windows systems use a common method to look for required DLLs to load into a program
    • take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
  • attackers have established a foothold
    • they proceed with lateral movement by leveraging Impacket within the network,
    • placing a passive backdoor into the victim environment
    • harvesting as many credentials as possible
      • insures unlimited access,
    • finally focusing on data exfiltration

Emotet is back with some new tricks

  • Emotet malware attacks are back after a 10-month break
    • new approach includes more targeted phishing attacks
      • previous spray-and-pray campaigns
  • Proofpoint
    • Attribution to Threat Actors known as TA542
    • Used Emotet since 2014 with great success
    • New tactic to address Microsoft protections
      • Mostly around the disablement of macros
  • being leveraged in its most recent campaign to deliver ransomware
  • January  2021
    • authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet,
      • “Operation LadyBird.”
  • Not the first time since it’s 10 month gap, but previously the efforts were lowkey and likely an attempt to test new tactics without drawing attention.
  • Now it appears TA542 has ramped up attacks to typical high-volume threat campaigns.
    • The threat actor has since resumed its typical activity,
  • New Campaign
    •  April 4, 2022 and April 19, 2022,
    • use compromised email accounts to send out spam-phishing emails
      • with a one-word headline
      • something like salary
    • message body contains a OneDrive URL
    • URL hosts Zip files containing Microsoft Excel Add-in (XLL)
      • files uses a similar name to the email subject line.
    • If these XLL files are opened and executed
      • Emotet will infect the machine with malware.
    • it can steal the information or create a backdoor for deploying other malwares to compromise the Windows system.