Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,331
- Points
- 113
This time, the wrong cyber bees targeted WebDAV files.
After a two-month break, the Bumblebee malicious downloader resumed its activity . Researchers from the Intel471 organization found that the campaign was abusing WebDAV services on the 4shared hosting platform. This platform was mentioned in a 2016 US government report as a service for hosting copyright-infringing content. Using 4shared not only ensures the reliability of the infrastructure for Bumblebee operators, but also avoids blockages.
Integration with the WebDAV protocol, which extends the standard HTTP capabilities, provides attackers with several ways to bypass behavioral analysis systems. It also makes it easier to spread malware and change the type of attack after the initial infection.
In this campaign, Bumblebee operators actively use fraudulent emails. To lure victims, they disguise these messages as scans, invoices, and notifications. Most email attachments are represented by files with the LNK extension, although sometimes there are ZIP archives with the same files. Attackers are probably experimenting to work out the most efficient way to deliver malicious code.
Opening the LNK file activates a sequence of commands on the victim's computer. The attack process begins by attaching a WebDAV folder to a network drive. To do this, use pre-embedded credentials to access the cloud storage on 4shared. This is followed by steps to download, extract, and execute malicious elements.
The updated loader runs on the TCP protocol (apparently, its creators decided to abandon the former WebSocket). In addition, Bumblebee now uses an algorithm that automatically creates about 100 Internet domains in the ".life " zone. A 64-bit static "seed" — the seed that is used to generate network addresses-helps you do this. The changes also complicate the task of blocking and disabling the program's infrastructure.
Bumblebee used to be associated with the spread of ransomware such as Conti and Akira. Its return with improved methods of distribution and circumvention of protective measures is a serious threat. With new features like the domain generation algorithm and the TCP protocol for communicating with management servers, the loader becomes even more unpredictable and resistant to blocking.
After a two-month break, the Bumblebee malicious downloader resumed its activity . Researchers from the Intel471 organization found that the campaign was abusing WebDAV services on the 4shared hosting platform. This platform was mentioned in a 2016 US government report as a service for hosting copyright-infringing content. Using 4shared not only ensures the reliability of the infrastructure for Bumblebee operators, but also avoids blockages.
Integration with the WebDAV protocol, which extends the standard HTTP capabilities, provides attackers with several ways to bypass behavioral analysis systems. It also makes it easier to spread malware and change the type of attack after the initial infection.
In this campaign, Bumblebee operators actively use fraudulent emails. To lure victims, they disguise these messages as scans, invoices, and notifications. Most email attachments are represented by files with the LNK extension, although sometimes there are ZIP archives with the same files. Attackers are probably experimenting to work out the most efficient way to deliver malicious code.
Opening the LNK file activates a sequence of commands on the victim's computer. The attack process begins by attaching a WebDAV folder to a network drive. To do this, use pre-embedded credentials to access the cloud storage on 4shared. This is followed by steps to download, extract, and execute malicious elements.
The updated loader runs on the TCP protocol (apparently, its creators decided to abandon the former WebSocket). In addition, Bumblebee now uses an algorithm that automatically creates about 100 Internet domains in the ".life " zone. A 64-bit static "seed" — the seed that is used to generate network addresses-helps you do this. The changes also complicate the task of blocking and disabling the program's infrastructure.
Bumblebee used to be associated with the spread of ransomware such as Conti and Akira. Its return with improved methods of distribution and circumvention of protective measures is a serious threat. With new features like the domain generation algorithm and the TCP protocol for communicating with management servers, the loader becomes even more unpredictable and resistant to blocking.
