Cyber Security Threat Summary:
The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content. Intel471's researchers report that Bumblebee's latest campaign, which started on September 7, 2023, abuses the 4shared WebDAV services to distribute the loader, accommodate the attack chain, and perform several post-infection actions. The abuse of the 4shared platform, a legitimate and well-known file-hosting services provider, helps Bumblebee operators evade blocklists and enjoy high infrastructure availability. At the same time, the WebDAV protocol gives them multiple ways to bypass behavioral detection systems and the added advantage of streamlined distribution, easy payload switching, etc” (Bleeping Computer, 2023).
In the latest campaign, threat actors are using malspam emails disguised as scans, notifications, invoices or numbered documents to lure victims into downloading attachments. Most of these attachments are LNK files or ZIP archives which contain the shortcut files. Upon execution, the LNK files will initiate the Windows command process, which will then execute a preconfigured set of commands designed to deploy Bumblebee on the targeted system.
“Opening the LNK file launches a series of commands on the victim's machine, starting with one to mount a WebDAV folder on a network drive using hardcoded credentials for a 4shared storage account. Here, too, Intel471 spotted several variations of the command set, from mounting the file copies, extracting, and executing the files from the mounted drive, which is another indication of trial for optimization. Intel471 reports seeing the threat actors experimenting with different methods for mounting file copies, extracting, and executing files from the mounted drive, indicating they are trying to optimize the attack chain” (Bleeping Computer, 2023).
Security Officer Comments:
The use of WebDAV is not a novel technique as the service has been used in the past to distribute IcedID malware on targeted systems. According to researchers at Intel471 who uncovered the latest campaign, operators of Bumblebee have updated the malware, making it difficult for security professionals to disrupt operations. When comparing the latest strain to previous samples, researchers note that the loader now employs a custom Transmission Control Protocol for C2 communication instead of the WebSocket protocol. Furthermore, rather than using hardcoded C2 addresses, the latest variant of Bumblebee uses a Domain Generation Algorithm to create new C2 domains.
“Using a 64-bit static seed value, the DGA generated 100 new domains with a ".life" top-level domain (TLD). When the payload is executed, Bumblebee will iterate until it resolves a DGA domain to an IP address and successfully checks in. The use of DGA adds another layer of complexity, reducing dependency on hard-coded C2 servers and thereby making it more challenging to disrupt the malware’s operations,” state researchers at Intel471.
The command line execution provides several threat hunting opportunities:
- Any command line event logs with “webdav.4shared[dot]com” likely are suspicious, unless this website is used by system administrators in your organization.
- Look for “replace[.]exe” in conjunction with “webdav.4shared[dot]com” in Windows command line event logs.
- Search for emails with attachments that match the following regular expressions (regex):