Konti, Quantum and MountLocker were all involved in using new pieces of software to inject ransomware into the system.
A recently unveiled malware loader called Bumblebee has been found to be linked to several prominent ransomware groups and is a key component of many cyber attacks. New discovery As part of the Broadcom software, it was discovered by the Symantec Threat Hunter team that the tool contains links to threat groups such as Conti, Quantum and Mountlocker, according to the team’s blog entry.
According to Symantec’s Threat Hunter team, the Bumblebee loader may be used as a replacement for trickbots and marketloaders, due to overlap in recent activity involving Bumblebee and older attacks associated with these loaders.
“[Bumblebee] A number of old loaders seem to have been replaced, suggesting that it was pre-planned for the work of established actors and the conversion to Bumblebee, ”the team wrote in its blog post.
How Bumblebee Loaders Became a Threat
A special attack derived from Quantum Ransomware details how the Bumblebee Loader is practiced. The initial infection came through the use of a spear-phishing email, to which an ISO file was attached. The malicious file in question was equipped with a Bumblebee DLL file and an LNK file, which later loaded the Bumblebee file using rundll32.exe.
The Bumblebee loader team allegedly communicates with a command-and-control server and creates a duplicate file with a random name in the% APPDATA% folder. Together with this, a VBS file was also created in the same location. Then, the loader organizes a scheduled task to run the VBS file every 15 minutes. After a few hours had elapsed, the loader dropped a cobalt strike payload. This action leads to two additional points: one is that Metasplot DLL was injected into a valid Windows process and the other is to collect system information from an adfind tool such as group permissions for domain users and systems.
After this task was completed, the Quantum Ransomware was unloaded by Bumblebee, which allows the Ransomware group to encrypt files on the target system. Once on the system, Quantum was then able to scrap the system for user information using Windows Management Instrumentation. Ransomware payload disables any processes related to malware detection.
Views: Mobile device security policy (TekriPublic Premium)
Bumblebee’s connection to the previous attack
Because of the bumblebee use of the aforementioned tools, the Threat Hunter team believes there is a connection between the new loader and those previously used by cybercriminal groups. Such a link comes from the use of adfinds, a publicly available tool for active directory search, and has been used by other competitors in the past. The deployment of an ISO file intended to infect a system was also the initial point of infection for victims of previous attacks, which lasted until June 2021 and was used by the threat groups Ryuk and Conti.
Another link comes from using a batch script known as adf.bat. The batch script has been linked to cyber attacks returning from November 2021, including the use of adfind tools in these attacks. In that case, the loader was scheduled to be BazarLoader.
Many of the attacks investigated by the Threat Hunter team also involved the use of legitimate software tools. For companies that employ remote desktop tools, this can be a big problem for many ransomware installations and for data exfoliation purposes. Symantec’s team recommends that users and enterprises be on the lookout for this new malware loader and its capabilities.
