{ "type": "bundle", "id": "bundle--758d96ed-9dd4-4009-9270-65f2c3dd30cc", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-10-24T09:23:30.000Z", "modified": "2022-10-24T09:23:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--758d96ed-9dd4-4009-9270-65f2c3dd30cc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-10-24T09:23:30.000Z", "modified": "2022-10-24T09:23:30.000Z", "name": "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm", "published": "2022-10-24T09:24:17Z", "object_refs": [ "indicator--35a4ef92-4ae2-4a9b-b23e-d03024f278a1", "indicator--5823caf2-1ab2-4c0d-a24e-de7edd58b23e", "indicator--d56163b8-3f70-494a-8c03-b5cd66da7aca", "indicator--dba0f86f-314c-4aac-b08c-5b4d47e2a1da", "indicator--903429af-87ca-4865-ab0a-da4febe313e9", "indicator--01769315-d698-45fe-8388-4853f1f7a30d", "indicator--c9e05448-4911-489a-a310-2f6bd3b0c8f5", "indicator--5cb19648-900a-4363-ac92-f0dcef307ef1", "indicator--39fff771-4832-4181-abf2-1aadd9a9d815", "indicator--f25b964c-9158-436e-8f77-86e949f4c5ac", "indicator--6516e8c0-eb91-45f4-9436-cdce2e06e1ab", "indicator--79256a9e-de15-47c7-a361-eb7281617e36", "indicator--11ac46b5-49f4-44cc-9eb4-edf82ec428da", "indicator--2f9eb12e-0e85-4498-aee6-e01f9855fe79", "x-misp-object--a68b22f1-a68b-4866-b711-3e20fd9914b2", "indicator--807f2024-9752-456a-be70-284533077af6", "indicator--01ffa6b4-4c4a-4e4d-848c-2e8834970353", "indicator--788f4f53-7c1e-4528-9315-17e4af67cae6" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"", "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"", "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"", "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"", "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\"", "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "misp-galaxy:malpedia=\"BumbleBee\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:tool=\"BumbleBee\"", "ecsirt:intrusions=\"backdoor\"", "veris:action:malware:variety=\"Backdoor\"", "ms-caro-malware:malware-type=\"Backdoor\"", "ms-caro-malware-full:malware-type=\"Backdoor\"", "misp-galaxy:malpedia=\"Bookworm\"", "misp-galaxy:tool=\"Bookworm\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--35a4ef92-4ae2-4a9b-b23e-d03024f278a1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:14:25.000Z", "modified": "2022-09-09T13:14:25.000Z", "description": "Backdoor.Win32.BUMBLEB.ZTIC - ore", "pattern": "[file:hashes.SHA256 = 'eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:14:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5823caf2-1ab2-4c0d-a24e-de7edd58b23e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:14:34.000Z", "modified": "2022-09-09T13:14:34.000Z", "description": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "pattern": "[file:hashes.SHA256 = '6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:14:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d56163b8-3f70-494a-8c03-b5cd66da7aca", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:14:41.000Z", "modified": "2022-09-09T13:14:41.000Z", "description": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "pattern": "[file:hashes.SHA256 = '4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:14:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dba0f86f-314c-4aac-b08c-5b4d47e2a1da", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:14:49.000Z", "modified": "2022-09-09T13:14:49.000Z", "description": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "pattern": "[file:hashes.SHA256 = '8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:14:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--903429af-87ca-4865-ab0a-da4febe313e9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:14:53.000Z", "modified": "2022-09-09T13:14:53.000Z", "description": "Backdoor.Win32.BUMBLEB.ZTIC - ore", "pattern": "[file:hashes.SHA256 = '515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:14:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--01769315-d698-45fe-8388-4853f1f7a30d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:14:59.000Z", "modified": "2022-09-09T13:14:59.000Z", "description": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "pattern": "[file:hashes.SHA256 = '8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:14:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c9e05448-4911-489a-a310-2f6bd3b0c8f5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:23:25.000Z", "modified": "2022-09-09T13:23:25.000Z", "description": "C&C", "pattern": "[url:value = 'http://www.synolo.ns01.biz:80/update']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:23:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cb19648-900a-4363-ac92-f0dcef307ef1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T13:23:25.000Z", "modified": "2022-09-09T13:23:25.000Z", "description": "C&C", "pattern": "[url:value = 'http://118.163.105.130:80/update']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T13:23:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--39fff771-4832-4181-abf2-1aadd9a9d815", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-12T06:21:17.000Z", "modified": "2022-09-12T06:21:17.000Z", "pattern": "[file:name = 'launcher.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-12T06:21:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f25b964c-9158-436e-8f77-86e949f4c5ac", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-12T06:21:17.000Z", "modified": "2022-09-12T06:21:17.000Z", "pattern": "[file:name = 'kernel.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-12T06:21:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6516e8c0-eb91-45f4-9436-cdce2e06e1ab", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-12T06:21:17.000Z", "modified": "2022-09-12T06:21:17.000Z", "pattern": "[file:name = 'installer.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-12T06:21:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--79256a9e-de15-47c7-a361-eb7281617e36", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-12T06:21:17.000Z", "modified": "2022-09-12T06:21:17.000Z", "pattern": "[file:name = 'keylog.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-12T06:21:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--11ac46b5-49f4-44cc-9eb4-edf82ec428da", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-12T06:21:17.000Z", "modified": "2022-09-12T06:21:17.000Z", "pattern": "[file:name = 'loader.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-12T06:21:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2f9eb12e-0e85-4498-aee6-e01f9855fe79", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-12T06:21:17.000Z", "modified": "2022-09-12T06:21:17.000Z", "pattern": "[file:name = 'slaver.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-12T06:21:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a68b22f1-a68b-4866-b711-3e20fd9914b2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T07:28:51.000Z", "modified": "2022-09-09T07:28:51.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html", "category": "External analysis", "uuid": "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc" }, { "type": "text", "object_relation": "summary", "value": "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\"", "category": "Other", "uuid": "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9" }, { "type": "text", "object_relation": "type", "value": "Report", "category": "Other", "uuid": "72b488f3-fd16-46c6-a46e-787709228af3" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--807f2024-9752-456a-be70-284533077af6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T11:50:49.000Z", "modified": "2022-09-09T11:50:49.000Z", "description": " Trojan.Win32.MULTICOM.ZTIC", "pattern": "[file:hashes.SHA256 = 'f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475' AND file:name = 'slaver.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T11:50:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--01ffa6b4-4c4a-4e4d-848c-2e8834970353", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T11:56:32.000Z", "modified": "2022-09-09T11:56:32.000Z", "description": "Trojan.Win32.REGLOAD.ZTI", "pattern": "[file:hashes.SHA256 = '3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810' AND file:name = 'XecureIO_v20.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T11:56:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--788f4f53-7c1e-4528-9315-17e4af67cae6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2022-09-09T11:56:55.000Z", "modified": "2022-09-09T11:56:55.000Z", "description": "Trojan.Win32.REGLOAD.ZTI", "pattern": "[file:hashes.SHA256 = 'ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0' AND file:name = 'XecureIO_v20.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-09T11:56:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }