505 lines
No EOL
16 KiB
JSON
505 lines
No EOL
16 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2022-09-02",
|
|
"extends_uuid": "",
|
|
"info": "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm",
|
|
"publish_timestamp": "1666603457",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1666603410",
|
|
"uuid": "758d96ed-9dd4-4009-9270-65f2c3dd30cc",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#064b00",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075900",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"BumbleBee\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": false,
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": false,
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"BumbleBee\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00b3b3",
|
|
"local": false,
|
|
"name": "ecsirt:intrusions=\"backdoor\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00a9ce",
|
|
"local": false,
|
|
"name": "veris:action:malware:variety=\"Backdoor\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#2c0037",
|
|
"local": false,
|
|
"name": "ms-caro-malware:malware-type=\"Backdoor\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#001534",
|
|
"local": false,
|
|
"name": "ms-caro-malware-full:malware-type=\"Backdoor\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:malpedia=\"Bookworm\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Bookworm\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729265",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "35a4ef92-4ae2-4a9b-b23e-d03024f278a1",
|
|
"value": "eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729274",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5823caf2-1ab2-4c0d-a24e-de7edd58b23e",
|
|
"value": "6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729281",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "d56163b8-3f70-494a-8c03-b5cd66da7aca",
|
|
"value": "4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729289",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "dba0f86f-314c-4aac-b08c-5b4d47e2a1da",
|
|
"value": "8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729293",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "903429af-87ca-4865-ab0a-da4febe313e9",
|
|
"value": "515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729299",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "01769315-d698-45fe-8388-4853f1f7a30d",
|
|
"value": "8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729805",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "c9e05448-4911-489a-a310-2f6bd3b0c8f5",
|
|
"value": "http://www.synolo.ns01.biz:80/update"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662729805",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5cb19648-900a-4363-ac92-f0dcef307ef1",
|
|
"value": "http://118.163.105.130:80/update"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662963677",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "39fff771-4832-4181-abf2-1aadd9a9d815",
|
|
"value": "launcher.dll"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662963677",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "f25b964c-9158-436e-8f77-86e949f4c5ac",
|
|
"value": "kernel.dll"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662963677",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "6516e8c0-eb91-45f4-9436-cdce2e06e1ab",
|
|
"value": "installer.dll"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662963677",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "79256a9e-de15-47c7-a361-eb7281617e36",
|
|
"value": "keylog.dll"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662963677",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "11ac46b5-49f4-44cc-9eb4-edf82ec428da",
|
|
"value": "loader.dll"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1662963677",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "2f9eb12e-0e85-4498-aee6-e01f9855fe79",
|
|
"value": "slaver.dll"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1662708531",
|
|
"uuid": "a68b22f1-a68b-4866-b711-3e20fd9914b2",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1662708531",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc",
|
|
"value": "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1662708531",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9",
|
|
"value": "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\""
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1662708531",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "72b488f3-fd16-46c6-a46e-787709228af3",
|
|
"value": "Report"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": " Trojan.Win32.MULTICOM.ZTIC",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1662724249",
|
|
"uuid": "807f2024-9752-456a-be70-284533077af6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1662724249",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57ac80d1-cca3-4457-8969-76874f9915b3",
|
|
"value": "f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1662724249",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "fe5af199-95c0-46c2-8459-97a88ec5efe8",
|
|
"value": "slaver.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Trojan.Win32.REGLOAD.ZTI",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1662724592",
|
|
"uuid": "01ffa6b4-4c4a-4e4d-848c-2e8834970353",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1662724592",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "6a41f248-8cc7-422e-8669-37ba4601bed7",
|
|
"value": "XecureIO_v20.dll"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1662724592",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "66759a76-7557-4c81-8419-cd7e47ad7952",
|
|
"value": "3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Trojan.Win32.REGLOAD.ZTI",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1662724615",
|
|
"uuid": "788f4f53-7c1e-4528-9315-17e4af67cae6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1662724615",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "8ea49814-7e60-42bf-a3ec-b273de5751ea",
|
|
"value": "ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1662724615",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "2772b523-c1a8-436a-8ccf-ddac54976d6a",
|
|
"value": "XecureIO_v20.dll"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |