Happy Sunday!
The Intel 471 team provides their findings of the #BumbleBee loader as it makes its comeback after a two month break. Taking the place of the #BazarLoader (the source code was leaked when the #Conti leak occurred). The BumbleBee loader has been associated with distributing ransomware and is currently being used by multiple threat actors. My favorite part of this article though (and not surprising) is all the MITRE ATT&CK mappings that provide all the #ThreatHunters a place to start looking, so thank you for that team! I hope you all enjoy and Happy Hunting!
Bumblebee Loader Resurfaces in New Campaign
https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign
Mitre ATT&CK places I'd start:
TA0002 - Execution
T1204.002 - User Execution: Malicious File
(Look for anomalous wmic.exe, conhost.exe, or schtasks executions.)
TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task
(Newly created tasks that do not follow normal syntax or convention. Look at the arguments that are included to see if there are any obfuscation or anomalous directories/filenames.)