ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

Just Another Blue Teamer

Happy Sunday!

The Intel 471 team provides their findings of the loader as it makes its comeback after a two month break. Taking the place of the (the source code was leaked when the leak occurred). The BumbleBee loader has been associated with distributing ransomware and is currently being used by multiple threat actors. My favorite part of this article though (and not surprising) is all the MITRE ATT&CK mappings that provide all the a place to start looking, so thank you for that team! I hope you all enjoy and Happy Hunting!

Bumblebee Loader Resurfaces in New Campaign
intel471.com/blog/bumblebee-lo

Mitre ATT&CK places I'd start:
TA0002 - Execution
T1204.002 - User Execution: Malicious File
(Look for anomalous wmic.exe, conhost.exe, or schtasks executions.)

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task
(Newly created tasks that do not follow normal syntax or convention. Look at the arguments that are included to see if there are any obfuscation or anomalous directories/filenames.)