{ "Event": { "analysis": "0", "date": "2022-09-02", "extends_uuid": "", "info": "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm", "publish_timestamp": "1666603457", "published": true, "threat_level_id": "2", "timestamp": "1666603410", "uuid": "758d96ed-9dd4-4009-9270-65f2c3dd30cc", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#064b00", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#075900", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:malpedia=\"BumbleBee\"", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"BumbleBee\"", "relationship_type": "" }, { "colour": "#00b3b3", "local": "0", "name": "ecsirt:intrusions=\"backdoor\"", "relationship_type": "" }, { "colour": "#00a9ce", "local": "0", "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" }, { "colour": "#2c0037", "local": "0", "name": "ms-caro-malware:malware-type=\"Backdoor\"", "relationship_type": "" }, { "colour": "#001534", "local": "0", "name": "ms-caro-malware-full:malware-type=\"Backdoor\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:malpedia=\"Bookworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"Bookworm\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore", "deleted": false, "disable_correlation": false, "timestamp": "1662729265", "to_ids": true, "type": "sha256", "uuid": "35a4ef92-4ae2-4a9b-b23e-d03024f278a1", "value": "eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0" }, { "category": "Payload delivery", "comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "deleted": false, "disable_correlation": false, "timestamp": "1662729274", "to_ids": true, "type": "sha256", "uuid": "5823caf2-1ab2-4c0d-a24e-de7edd58b23e", "value": "6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e" }, { "category": "Payload delivery", "comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "deleted": false, "disable_correlation": false, "timestamp": "1662729281", "to_ids": true, "type": "sha256", "uuid": "d56163b8-3f70-494a-8c03-b5cd66da7aca", "value": "4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee" }, { "category": "Payload delivery", "comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "deleted": false, "disable_correlation": false, "timestamp": "1662729289", "to_ids": true, "type": "sha256", "uuid": "dba0f86f-314c-4aac-b08c-5b4d47e2a1da", "value": "8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05" }, { "category": "Payload delivery", "comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore", "deleted": false, "disable_correlation": false, "timestamp": "1662729293", "to_ids": true, "type": "sha256", "uuid": "903429af-87ca-4865-ab0a-da4febe313e9", "value": "515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3" }, { "category": "Payload delivery", "comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin", "deleted": false, "disable_correlation": false, "timestamp": "1662729299", "to_ids": true, "type": "sha256", "uuid": "01769315-d698-45fe-8388-4853f1f7a30d", "value": "8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1662729805", "to_ids": true, "type": "url", "uuid": "c9e05448-4911-489a-a310-2f6bd3b0c8f5", "value": "http://www.synolo.ns01.biz:80/update" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1662729805", "to_ids": true, "type": "url", "uuid": "5cb19648-900a-4363-ac92-f0dcef307ef1", "value": "http://118.163.105.130:80/update" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1662963677", "to_ids": true, "type": "filename", "uuid": "39fff771-4832-4181-abf2-1aadd9a9d815", "value": "launcher.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1662963677", "to_ids": true, "type": "filename", "uuid": "f25b964c-9158-436e-8f77-86e949f4c5ac", "value": "kernel.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1662963677", "to_ids": true, "type": "filename", "uuid": "6516e8c0-eb91-45f4-9436-cdce2e06e1ab", "value": "installer.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1662963677", "to_ids": true, "type": "filename", "uuid": "79256a9e-de15-47c7-a361-eb7281617e36", "value": "keylog.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1662963677", "to_ids": true, "type": "filename", "uuid": "11ac46b5-49f4-44cc-9eb4-edf82ec428da", "value": "loader.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1662963677", "to_ids": true, "type": "filename", "uuid": "2f9eb12e-0e85-4498-aee6-e01f9855fe79", "value": "slaver.dll" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1662708531", "uuid": "a68b22f1-a68b-4866-b711-3e20fd9914b2", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1662708531", "to_ids": false, "type": "link", "uuid": "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc", "value": "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1662708531", "to_ids": false, "type": "text", "uuid": "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9", "value": "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\"" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1662708531", "to_ids": false, "type": "text", "uuid": "72b488f3-fd16-46c6-a46e-787709228af3", "value": "Report" } ] }, { "comment": " Trojan.Win32.MULTICOM.ZTIC", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1662724249", "uuid": "807f2024-9752-456a-be70-284533077af6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1662724249", "to_ids": true, "type": "sha256", "uuid": "57ac80d1-cca3-4457-8969-76874f9915b3", "value": "f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1662724249", "to_ids": true, "type": "filename", "uuid": "fe5af199-95c0-46c2-8459-97a88ec5efe8", "value": "slaver.exe" } ] }, { "comment": "Trojan.Win32.REGLOAD.ZTI", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1662724592", "uuid": "01ffa6b4-4c4a-4e4d-848c-2e8834970353", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1662724592", "to_ids": true, "type": "filename", "uuid": "6a41f248-8cc7-422e-8669-37ba4601bed7", "value": "XecureIO_v20.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1662724592", "to_ids": true, "type": "sha256", "uuid": "66759a76-7557-4c81-8419-cd7e47ad7952", "value": "3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810" } ] }, { "comment": "Trojan.Win32.REGLOAD.ZTI", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1662724615", "uuid": "788f4f53-7c1e-4528-9315-17e4af67cae6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1662724615", "to_ids": true, "type": "sha256", "uuid": "8ea49814-7e60-42bf-a3ec-b273de5751ea", "value": "ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1662724615", "to_ids": true, "type": "filename", "uuid": "2772b523-c1a8-436a-8ccf-ddac54976d6a", "value": "XecureIO_v20.dll" } ] } ] } }