Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm

Event ID4519
UUID758d96ed-9dd4-4009-9270-65f2c3dd30cc 
Creator orgCIRCL
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagsmisp-galaxy:mitre-attack-pattern=”Bypass User Access Control – T1548.002″x type:OSINTx osint:lifetime=”perpetual”x osint:certainty=”50″x tlp:whitex misp-galaxy:tool=”BumbleBee”x ecsirt:intrusions=”backdoor”x veris:action:malware:variety=”Backdoor”x ms-caro-malware:malware-type=”Backdoor”x ms-caro-malware-full:malware-type=”Backdoor”x misp-galaxy:malpedia=”Bookworm”x   
Date2022-09-02
Threat LevelMedium
AnalysisInitial
DistributionAll communities   
PublishedYes 2022-11-01 06:55:31
#Attributes23 (4 Objects)
First recorded change2022-09-09 07:28:51
Last change2022-10-24 09:23:30
Modification map
Sightings0 (0) – restricted to own organisation only.  

Order by dateOrder by count

Related Events

abuse.chMalwareBazaar malware samples for 2022-08-12
2022-08-121

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

4519: Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm

Galaxies

Attack Pattern 

  •  Boot or Logon Autostart Execution – T1547   
  •  Boot or Logon Initialization Scripts – T1037   
  •  Keylogging – T1056.001   
  •  Input Capture – T1056   
  •  Process Injection – T1055   
  •  Indicator Removal on Host – T1070   
  •  Web Protocols – T1071.001   
  •  Proxy – T1090   
  •  Input Capture – T1417   
  •  Execution Guardrails – T1480   
  •  Create or Modify System Process – T1543   
  •  Symmetric Cryptography – T1573.001   
  •  Hijack Execution Flow – T1574   
  •  Malware – T1587.001   
  •  Gather Victim Host Information – T1592   

Malpedia 

  •  BumbleBee   

Tool 

  •  Bookworm   

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-09-12Payload deliveryfilenamekernel.dll    Inherit   (0/0/0)         
2022-09-12Payload deliveryfilenameslaver.dll    Inherit   (0/0/0)         
2022-09-12Payload deliveryfilenamelauncher.dll    Inherit   (0/0/0)         
2022-09-12Payload deliveryfilenameinstaller.dll    Inherit   (0/0/0)         
2022-09-12Payload deliveryfilenamekeylog.dll    Inherit   (0/0/0)         
2022-09-12Payload deliveryfilenameloader.dll    Inherit   (0/0/0)         
2022-09-09Network activityurlhttp://www.synolo.ns01.biz:80/update     C&CInherit   (0/0/0)         
2022-09-09Network activityurlhttp://118.163.105.130:80/update     C&CInherit   (0/0/0)         
2022-09-09Payload deliverysha2568e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d     Backdoor.Win32.BUMBLEB.ZTIC – binInherit   (0/0/0)         
2022-09-09Payload deliverysha256515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3     Backdoor.Win32.BUMBLEB.ZTIC – oreInherit   (0/0/0)         
2022-09-09Payload deliverysha2568ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05     Backdoor.Win32.BUMBLEB.ZTIC – binInherit   (0/0/0)         
2022-09-09Payload deliverysha2564ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee     Backdoor.Win32.BUMBLEB.ZTIC – binInherit   (0/0/0)         
2022-09-09Payload deliverysha2566690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e     Backdoor.Win32.BUMBLEB.ZTIC – binInherit   (0/0/0)         
2022-09-09Payload deliverysha256eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0     Backdoor.Win32.BUMBLEB.ZTIC – oreInherit   (0/0/0)         
2022-09-09Object name: file 



References: 
Trojan.Win32.REGLOAD.ZTIInherit 
2022-09-09Payload deliverysha256:sha256ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0     Inherit   (0/0/0)         
2022-09-09Payload deliveryfilename:filenameXecureIO_v20.dll    2803 Inherit   (0/0/0)         
2022-09-09Object name: file 



References: 
Trojan.Win32.REGLOAD.ZTIInherit 
2022-09-09Payload deliveryfilename:filenameXecureIO_v20.dll    2803 Inherit   (0/0/0)         
2022-09-09Payload deliverysha256:sha2563fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810     Inherit   (0/0/0)         
2022-09-09Object name: file 



References: 
Trojan.Win32.MULTICOM.ZTICInherit 
2022-09-09Payload deliverysha256:sha256f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475     Inherit   (0/0/0)         
2022-09-09Payload deliveryfilename:filenameslaver.exe    Inherit   (0/0/0)         
2022-09-09Object name: report 



References: 
Inherit 
2022-09-09External analysislink:linkhttps://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html    Inherit   (0/0/0)     
2022-09-09Othersummary:text“In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.”     Inherit   (0/0/0)     
2022-09-09Othertype:textReport     Inherit   (0/0/0)