BumbleBee Roasts Its Way to Domain Admin

In this intrusion, the threat actors operated in an environment over an 11 day dwell period.
The intrusion began with a password protected zipped ISO file that we assess with medium to high confidence due to other reports, likely arrived via an email which included a link to download said zip file.

The execution phase started with that password protected zip, which after extracting would show the user an ISO file that after the user double clicks would mount like a CD or external media device on Windows and present the user with a single file named documents in the directory.

When the user double clicks or opens the lnk file, they inadvertently starts a hidden file in the directory, a DLL (namr.dll) containing the Bumblebee malware loader.
From there, the loader reached out to the Bumblebee C2 server.
At first, things remained fairly quiet, just C2 communications; until around 3 hours later, Bumblebee dropped a Cobalt Strike beacon named wab.exe on the beachhead host.
This Cobalt Strike beacon was subsequently executed and then proceeded to inject into various other processes on the host (explorer.exe, rundll32.exe).

From these injected processes, the threat actors began discovery tasks using Windows utilities like ping and tasklist.

Four hours after initial access, the threat actor started their first lateral movement using RDP to pivot to a server using the local Administrator account.
The threat actor then deployed Anydesk, which was the only observed persistence mechanism used during the intrusion.
The threat actor then started Active Directory mapping using Adfind.

After this activity, the threat actors went silent.
Then, the next day, they accessed the server via RDP and deployed a bespoke tool, VulnRecon, designed to identify local privilege escalation paths on a Windows host.
The tool appeared to be still under development as several command options were not yet implemented.

The next check in from the threat actors, occurred on the 4th day, where the threat actors again ran VulnRecon, but from the beachhead host instead of the server.
AdFind was used again as well.
Next, the threat actor transferred Sysinternals tool Procdump over SMB, to the ProgramData folders on multiple hosts in the environment.
They then used remote services to execute Procdump, which was used to dump lsass.
At this point, the actors appeared to be searching for more access then they currently had.
While they were able to move laterally to workstations and at least one server, it seemed that they had not yet taken control of an account that provided them the access they were seeking, likely a Domain Administrator or similarly highly privileged account.

After that activity, the threat actors then disappeared until the 7th day, at which time they accessed the server via Anydesk.
Again, they executed VulnRecon and then also executed Seatbelt, a red team tool for preforming various host based discovery.

On the final day of the intrusion, the 11th day since the initial entry by the threat actor, they appeared to be preparing to act on final objectives.

The threat actors used PowerShell to download and execute a new Cobalt Strike PowerShell beacon in memory on the beachhead host.
After injecting into various processes on the host, the threat actors executed the PowerShell script Invoke-Kerberoast.
Next, they used yet another technique to dump LSASS on the beachhead host, this time using a built in Windows tool comsvcs.dll.
AdFind was run for a 3rd time in the network, and then two batch scripts were dropped and run.
These batch scripts’ purposes were to identify all online servers and workstations in the environment, often a precursor to ransomware deployment by creating the target list for that deployment.

After the scripts ran, a new Cobalt Strike executable beacon was run on the beachhead.
Next, the threat actors used a service account to execute a Cobalt Strike beacon remotely on a Domain Controller.
This service account was most likely cracked offline after being kerberoasted earlier in the intrusion.

The threat actors were then evicted from the environment before any final actions could be taken.
Based on the level of access and discovery activity from the final day the likely final actions would have been a domain wide ransom deployment.

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Magic Rat

Cisco Talos has discovered a new remote access trojan (RAT), which analysts are calling "MagicRAT,"...

Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 15, 2022

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 05, 2022

Grandoreiro Banking Trojan with New TTPs Targeting...

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

New Golang Ransomware Agenda Customizes Attacks

Investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based...