Deep Instinct, has released its research on Bumblebee, a recent targeted attack, which was detected and prevented before execution, in one of their clients’ environments. More specifically, the attack involved an obfuscated PowerShell script, a .VHD file (a type of disk image file similar to .ISO), a DLL, and spear phishing correspondence.
We spoke with Chuck Everette at Deep Instinct to talk in more depth about the attack characteristics.
What did you find and how?
Deep Instinct Threat Lab monitors and investigates new threats that we detect and prevent. This new attack vector came, a prevention was triggered, and investigative response by our threat Lab was imitated. As noted in our blog, Deep Instinct prevented the threat before any other security vendors reported even identifying the threat.
What makes this threat unique?
What makes this threat unique is the code shows a level of ingenuity and innovation while not unique, but definitely at a level of sophistication we haven’t seen for quite some time. Cyber criminals are constantly evolving and looking for new ways to infect systems. This code and threat takes it to another level that other security vendors will find difficult to detect let alone prevent.
Who is at risk?
One of the key findings is the use of this attack in spear phishing attacks. Meaning they are targeting victims, building “trust”, and then utilizing this attack on the target. This means anyone that the cyber criminals target, is at a major risk due to the innovation of this attack.
What can organizations do to protect themselves?
Organizations need to be more diligent than ever and policing and educating the users on these types of targeted spear Phishing attacks. But education will only go so far. Too often we are finding that organizations are hesitant to adopt stricter security policies let alone replace feeling legacy security products with newer preventative solutions that can have only detect, but prevent these types of attacks from even injecting into memory or dropping or executing files in their environments. In my experience talking with seasoned CIO’s and CISO’s behind closed doors, they admit there often needs to be a catalyst or an event in order for them to get funding to replace failing or legacy cyber solutions that do not meet the needs of the business. Cyber criminals’ techniques and tactics are evolving and getting more and more sophisticated on a daily basis, organizations cyber defenses need to keep pace and get in front of the issues and set of constantly being reactive and responding only after a cyber attack has transpired when a breach has occurred. Summary of key attack characteristics:
To establish trust, the attacker did not include attachments or requests to download files in their first email, only introducing themselves as the person they impersonated and using the promise of a new business opportunity.
The attacker used a domain “hognose1,” registered with porkbun.com, with Postfix smtpd. The “Smash” link was provided in a separate email leading to a .VHD file that contained an .LNK (shortcut file), which executes a hidden PowerShell script that resides in the disk image file as well.
The final DLL is 64-bit Bumblebee payload. It is protected by what appears to be a unique private crypter that is present in all Bumblebee binaries.
The observed attack chain is consistent with EXOTIC LILY activity and the attackers chose to send the mails around the time of Black Hat USA.