2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2022-09-02" ,
"extends_uuid" : "" ,
"info" : "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm" ,
"publish_timestamp" : "1666603457" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1666603410" ,
"uuid" : "758d96ed-9dd4-4009-9270-65f2c3dd30cc" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#064b00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#075900" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"BumbleBee\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"BumbleBee\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00b3b3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ecsirt:intrusions=\"backdoor\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00a9ce" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "veris:action:malware:variety=\"Backdoor\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#2c0037" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-type=\"Backdoor\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#001534" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware-full:malware-type=\"Backdoor\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:malpedia=\"Bookworm\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Bookworm\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.BUMBLEB.ZTIC - ore" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729265" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "35a4ef92-4ae2-4a9b-b23e-d03024f278a1" ,
"value" : "eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.BUMBLEB.ZTIC - bin" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729274" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5823caf2-1ab2-4c0d-a24e-de7edd58b23e" ,
"value" : "6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.BUMBLEB.ZTIC - bin" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729281" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "d56163b8-3f70-494a-8c03-b5cd66da7aca" ,
"value" : "4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.BUMBLEB.ZTIC - bin" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729289" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "dba0f86f-314c-4aac-b08c-5b4d47e2a1da" ,
"value" : "8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.BUMBLEB.ZTIC - ore" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729293" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "903429af-87ca-4865-ab0a-da4febe313e9" ,
"value" : "515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.BUMBLEB.ZTIC - bin" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729299" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "01769315-d698-45fe-8388-4853f1f7a30d" ,
"value" : "8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729805" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "c9e05448-4911-489a-a310-2f6bd3b0c8f5" ,
"value" : "http://www.synolo.ns01.biz:80/update"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662729805" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5cb19648-900a-4363-ac92-f0dcef307ef1" ,
"value" : "http://118.163.105.130:80/update"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662963677" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "39fff771-4832-4181-abf2-1aadd9a9d815" ,
"value" : "launcher.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662963677" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "f25b964c-9158-436e-8f77-86e949f4c5ac" ,
"value" : "kernel.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662963677" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6516e8c0-eb91-45f4-9436-cdce2e06e1ab" ,
"value" : "installer.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662963677" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "79256a9e-de15-47c7-a361-eb7281617e36" ,
"value" : "keylog.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662963677" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "11ac46b5-49f4-44cc-9eb4-edf82ec428da" ,
"value" : "loader.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1662963677" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2f9eb12e-0e85-4498-aee6-e01f9855fe79" ,
"value" : "slaver.dll"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1662708531" ,
"uuid" : "a68b22f1-a68b-4866-b711-3e20fd9914b2" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1662708531" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc" ,
"value" : "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1662708531" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9" ,
"value" : "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\""
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1662708531" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "72b488f3-fd16-46c6-a46e-787709228af3" ,
"value" : "Report"
}
]
} ,
{
"comment" : " Trojan.Win32.MULTICOM.ZTIC" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1662724249" ,
"uuid" : "807f2024-9752-456a-be70-284533077af6" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1662724249" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "57ac80d1-cca3-4457-8969-76874f9915b3" ,
"value" : "f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1662724249" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "fe5af199-95c0-46c2-8459-97a88ec5efe8" ,
"value" : "slaver.exe"
}
]
} ,
{
"comment" : "Trojan.Win32.REGLOAD.ZTI" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1662724592" ,
"uuid" : "01ffa6b4-4c4a-4e4d-848c-2e8834970353" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1662724592" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6a41f248-8cc7-422e-8669-37ba4601bed7" ,
"value" : "XecureIO_v20.dll"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1662724592" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "66759a76-7557-4c81-8419-cd7e47ad7952" ,
"value" : "3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810"
}
]
} ,
{
"comment" : "Trojan.Win32.REGLOAD.ZTI" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1662724615" ,
"uuid" : "788f4f53-7c1e-4528-9315-17e4af67cae6" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1662724615" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "8ea49814-7e60-42bf-a3ec-b273de5751ea" ,
"value" : "ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1662724615" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2772b523-c1a8-436a-8ccf-ddac54976d6a" ,
"value" : "XecureIO_v20.dll"
}
]
}
]
}
}