Phishing Analysis

Phishing Analysis

Phishing Analysis

A new phishing campaign by TA578 is uncovered that utilizes thread hijacked emails to deploy the BumbleBee malware which is followed by Cobalt Strike. Earlier, the TA578 threat actor used to deploy Urnsif, IcedID, KPOT Stealer, Buer Loader, and BazaLoader malware. The BumbleBee malware supports commands as listed below.

  • Shellcode injection
  • DLL injection in the memory of other processes
  • Download executable
  • Uninstall loader
  • Enable persistence via a scheduled task for a Visual Basic Script that loads Bumblebee

These features were not present in the earlier malware.

The email sample is part of an email thread that is hijacked by the attacker to bait the user to open the hyperlink.

hxxps[:]//storage[.]googleapis[.]com/urh21265vg2o9x[.]appspot[.]com/g/b/file/d/fZ xgV38APHDew[.]html

EML file MD5: 9f0c4ed7308226d143e214ad43a29711

Upon opening the link, an ISO file is downloaded from Google Drive which is a Bumblebee payload.

Payload Hash: a0fca5d81252df8623f431b461b0da30

The domain 2brightlights[.]com has been used in other campaigns. This domain was used in one of the Bazarloader campaigns in 2020.

The ISO file is embedded with .lnk file and .DLL file

DLL file Hash: bb2f698d6b1aebba2c1d16ef665d3463

When the iso executed the .lnk file, it contains the command: %windir%\system32\rundll32.exe tamirlan.dllEdHVntqdWt, to run the .DLL file

This malware is capable of deploying the ransomware to encrypt the system and exfiltrate the data to the C2 server. Further, it can drop Cobalt Strike, Shellcode, Silver, and other red team tools.

Conclusion:

Phishing emails are the primary vector for attackers to get initial access to organizations leading to the deployment of ransomware and other post-exploitation tools to exfiltrate critical data for financial gains. The infamous Conti gang has recently changed their delivery payload malware from BazzarLoader to BumbleBee, signaling continuous innovation and the move to more sophisticated and evasive malware.

MITRE ATT&CK Tactics and Techniques

Sr No. Tactic Technique
1 TA0001: Initial Access T1566 :Phishing
2 TA0002: Execution T1059.007: Command and Scripting Interpreter: JavaScript
3 TA0003: Persistence T1547.001: Registry Run Keys / Startup Folder
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
    T1497.003: Virtualization/Sandbox Evasion:
Time Based Evasion
5 TA0007: Discovery T1012: Query Registry
T1057: Process Discovery
6 TA0009: Collection T1056.004: Credential API Hooking
    T1005: Data from Local System