| Event ID | 4519 |
| UUID | 758d96ed-9dd4-4009-9270-65f2c3dd30cc |
| Creator org | CIRCL |
| Owner org | LUNCHBOX |
| Creator user | admin@admin.test |
| Protected Event (experimental) | Event is in unprotected mode. |
| Tags | misp-galaxy:mitre-attack-pattern=”Bypass User Access Control – T1548.002″x type:OSINTx osint:lifetime=”perpetual”x osint:certainty=”50″x tlp:whitex misp-galaxy:tool=”BumbleBee”x ecsirt:intrusions=”backdoor”x veris:action:malware:variety=”Backdoor”x ms-caro-malware:malware-type=”Backdoor”x ms-caro-malware-full:malware-type=”Backdoor”x misp-galaxy:malpedia=”Bookworm”x |
| Date | 2022-09-02 |
| Threat Level | Medium |
| Analysis | Initial |
| Distribution | All communities |
| Published | Yes 2022-11-01 06:55:31 |
| #Attributes | 23 (4 Objects) |
| First recorded change | 2022-09-09 07:28:51 |
| Last change | 2022-10-24 09:23:30 |
| Modification map | |
| Sightings | 0 (0) – restricted to own organisation only. |
Order by dateOrder by count
Related Events
PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion
4519: Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm
Galaxies
Attack Pattern
- Boot or Logon Autostart Execution – T1547
- Boot or Logon Initialization Scripts – T1037
- Keylogging – T1056.001
- Input Capture – T1056
- Process Injection – T1055
- Indicator Removal on Host – T1070
- Web Protocols – T1071.001
- Proxy – T1090
- Input Capture – T1417
- Execution Guardrails – T1480
- Create or Modify System Process – T1543
- Symmetric Cryptography – T1573.001
- Hijack Execution Flow – T1574
- Malware – T1587.001
- Gather Victim Host Information – T1592
Malpedia
Tool
- « previous
- next »
- view all
Scope toggle Deleted Decay score SightingDB Context Related Tags Filtering tool
| Date | Org | Category | Type | Value | Tags | Galaxies | Comment | Correlate | Related Events | Feed hits | IDS | Distribution | Sightings | Activity | Actions | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2022-09-12 | Payload delivery | filename | kernel.dll | Inherit | (0/0/0) | |||||||||||
| 2022-09-12 | Payload delivery | filename | slaver.dll | Inherit | (0/0/0) | |||||||||||
| 2022-09-12 | Payload delivery | filename | launcher.dll | Inherit | (0/0/0) | |||||||||||
| 2022-09-12 | Payload delivery | filename | installer.dll | Inherit | (0/0/0) | |||||||||||
| 2022-09-12 | Payload delivery | filename | keylog.dll | Inherit | (0/0/0) | |||||||||||
| 2022-09-12 | Payload delivery | filename | loader.dll | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Network activity | url | http://www.synolo.ns01.biz:80/update | C&C | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Network activity | url | http://118.163.105.130:80/update | C&C | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256 | 8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d | Backdoor.Win32.BUMBLEB.ZTIC – bin | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256 | 515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3 | Backdoor.Win32.BUMBLEB.ZTIC – ore | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256 | 8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05 | Backdoor.Win32.BUMBLEB.ZTIC – bin | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256 | 4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee | Backdoor.Win32.BUMBLEB.ZTIC – bin | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256 | 6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e | Backdoor.Win32.BUMBLEB.ZTIC – bin | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256 | eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0 | Backdoor.Win32.BUMBLEB.ZTIC – ore | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Object name: file References: 0 | Trojan.Win32.REGLOAD.ZTI | Inherit | |||||||||||||
| 2022-09-09 | Payload delivery | sha256:sha256 | ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0 | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Payload delivery | filename:filename | XecureIO_v20.dll | 2803 | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Object name: file References: 0 | Trojan.Win32.REGLOAD.ZTI | Inherit | |||||||||||||
| 2022-09-09 | Payload delivery | filename:filename | XecureIO_v20.dll | 2803 | Inherit | (0/0/0) | ||||||||||
| 2022-09-09 | Payload delivery | sha256:sha256 | 3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810 | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Object name: file References: 0 | Trojan.Win32.MULTICOM.ZTIC | Inherit | |||||||||||||
| 2022-09-09 | Payload delivery | sha256:sha256 | f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475 | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Payload delivery | filename:filename | slaver.exe | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Object name: report References: 0 | Inherit | ||||||||||||||
| 2022-09-09 | External analysis | link:link | https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Other | summary:text | “In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.” | Inherit | (0/0/0) | |||||||||||
| 2022-09-09 | Other | type:text | Report | Inherit | (0/0/0) | |||||||||||