BumbleBee Roasts Its Way to Domain Admin

In this intrusion, the threat actors operated in an environment over an 11 day dwell period.
The intrusion began with a password protected zipped ISO file that we assess with medium to high confidence due to other reports, likely arrived via an email which included a link to download said zip file.

The execution phase started with that password protected zip, which after extracting would show the user an ISO file that after the user double clicks would mount like a CD or external media device on Windows and present the user with a single file named documents in the directory.

When the user double clicks or opens the lnk file, they inadvertently starts a hidden file in the directory, a DLL (namr.dll) containing the Bumblebee malware loader.
From there, the loader reached out to the Bumblebee C2 server.
At first, things remained fairly quiet, just C2 communications; until around 3 hours later, Bumblebee dropped a Cobalt Strike beacon named wab.exe on the beachhead host.
This Cobalt Strike beacon was subsequently executed and then proceeded to inject into various other processes on the host (explorer.exe, rundll32.exe).

From these injected processes, the threat actors began discovery tasks using Windows utilities like ping and tasklist.

Four hours after initial access, the threat actor started their first lateral movement using RDP to pivot to a server using the local Administrator account.
The threat actor then deployed Anydesk, which was the only observed persistence mechanism used during the intrusion.
The threat actor then started Active Directory mapping using Adfind.

After this activity, the threat actors went silent.
Then, the next day, they accessed the server via RDP and deployed a bespoke tool, VulnRecon, designed to identify local privilege escalation paths on a Windows host.
The tool appeared to be still under development as several command options were not yet implemented.

The next check in from the threat actors, occurred on the 4th day, where the threat actors again ran VulnRecon, but from the beachhead host instead of the server.
AdFind was used again as well.
Next, the threat actor transferred Sysinternals tool Procdump over SMB, to the ProgramData folders on multiple hosts in the environment.
They then used remote services to execute Procdump, which was used to dump lsass.
At this point, the actors appeared to be searching for more access then they currently had.
While they were able to move laterally to workstations and at least one server, it seemed that they had not yet taken control of an account that provided them the access they were seeking, likely a Domain Administrator or similarly highly privileged account.

After that activity, the threat actors then disappeared until the 7th day, at which time they accessed the server via Anydesk.
Again, they executed VulnRecon and then also executed Seatbelt, a red team tool for preforming various host based discovery.

On the final day of the intrusion, the 11th day since the initial entry by the threat actor, they appeared to be preparing to act on final objectives.

The threat actors used PowerShell to download and execute a new Cobalt Strike PowerShell beacon in memory on the beachhead host.
After injecting into various processes on the host, the threat actors executed the PowerShell script Invoke-Kerberoast.
Next, they used yet another technique to dump LSASS on the beachhead host, this time using a built in Windows tool comsvcs.dll.
AdFind was run for a 3rd time in the network, and then two batch scripts were dropped and run.
These batch scripts’ purposes were to identify all online servers and workstations in the environment, often a precursor to ransomware deployment by creating the target list for that deployment.

After the scripts ran, a new Cobalt Strike executable beacon was run on the beachhead.
Next, the threat actors used a service account to execute a Cobalt Strike beacon remotely on a Domain Controller.
This service account was most likely cracked offline after being kerberoasted earlier in the intrusion.

The threat actors were then evicted from the environment before any final actions could be taken.
Based on the level of access and discovery activity from the final day the likely final actions would have been a domain wide ransom deployment.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 06, 2023

Vector Stealer Targets RDP Files For Exfiltration

Vector Stealer is an information stealer sold on underground forums since 2022. The malicious software...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

This is a new threat actor,Analysts are tracking it as Ice Breaker APT. Although research...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

ttt

Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...