When the LNK is double-clicked, the BumbleBee DLL is executed via rundll32. The ISO contains a LNK file and a DLL file. A zip file is then downloaded to the victim machine and once unzipped the user is presented with an ISO file. Upon the user clicking the link, they arrive at a “Google” storage site on. It then encourages the recipient to download a file showing the purported violation. The contact form gets filled out by the threat actor with a Copyright notice, purporting a violation of the Digital Millennium Copyright Act (DMCA). This campaign took place in May, and appears to have run as late as June 2022, based on OSINT data related to similar delivery fingerprints. It has been reported that this delivery method has been in use for intrusions since at least 2020. The intrusion started with a contact form on a website. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. We have previously reported on two BumbleBee intrusions ( 1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign.
0 Comments
Leave a Reply. |