The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities.

被称为 Bumblebee 的恶意软件加载程序越来越多地被与 BazarLoader、TrickBot 和 IcedID 相关的威胁参与者在他们的活动中利用，以破坏目标网络以进行后期利用活动。

"Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and Alon Laufer said in a technical write-up.

Cybereason研究人员梅鲁扬·安东尼扬（Meroujan Antonyan）和阿隆·劳弗（Alon Laufer）在一份技术报告中说：“Bumblebee操作员进行密集侦察活动，并将执行命令的输出重定向到文件进行过滤。”

Bumblebee first came to light in March 2022 when Google's Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed Exotic Lily with ties to the TrickBot and the larger Conti collectives.

Bumblebee于 2022 年 3 月首次曝光，当时谷歌的威胁分析小组 (TAG) 揭露了一个名为Exotic Lily的初始访问经纪人的活动，该经纪人与TrickBot和更大的Conti组织有联系。

Typically delivered via initial access acquired through spear-phishing campaigns, the modus operandi has since been tweaked by eschewing macro-laced documents in favor of ISO and LNK files, primarily in response to Microsoft's decision to block macros by default.

通常通过鱼叉式网络钓鱼活动获得的初始访问权限交付，此后通过避开带有宏的文档来支持 ISO 和 LNK 文件，对作案方式进行了调整，主要是为了响应微软默认阻止宏的决定。

"Distribution of the malware is done by phishing emails with an attachment or a link to a malicious archive containing Bumblebee," the researchers said. "The initial execution relies on the end-user execution which has to extract the archive, mount an ISO image file, and click a Windows shortcut (LNK) file."

研究人员说：“恶意软件的分发是通过钓鱼电子邮件来完成的，该电子邮件带有附件或指向包含 Bumblebee 的恶意档案的链接。” “初始执行依赖于最终用户执行，它必须提取存档、挂载 ISO 映像文件并单击 Windows 快捷方式 (LNK) 文件。”

The LNK file, for its part, contains the command to launch the Bumblebee loader, which is then used as a conduit for next-stage actions such as persistence, privilege escalation, reconnaissance, and credential theft.

LNK 文件就其本身而言，包含启动 Bumblebee 加载程序的命令，然后将其用作下一阶段操作的管道，例如持久性、权限升级、侦察和凭据盗窃。

Also employed during the attack is the Cobalt Strike adversary simulation framework upon gaining elevated privileges on infected endpoints, enabling the threat actor to laterally move across the network. Persistence is achieved by deploying AnyDesk remote desktop software.

攻击期间还使用了 Cobalt Strike 对手模拟框架，该框架在获得受感染端点的提升权限后，使威胁参与者能够在网络中横向移动。持久性是通过部署 AnyDesk 远程桌面软件来实现的。

In the incident analyzed by Cybereason, the stolen credentials of a highly privileged user were subsequently utilized to seize control of the Active Directory, not to mention create a local user account for data exfiltration.

在 Cyber eason 分析的事件中，一个高权限用户的被盗凭据随后被用来控制Active Directory，更不用说创建一个本地用户帐户来进行数据泄露。

"The time it took between initial access and Active Directory compromise was less than two days," the cybersecurity firm said. "Attacks involving Bumblebee must be treated as critical, [...] and this loader is known for ransomware delivery."

“从初始访问到 Active Directory 入侵之间的时间不到两天，”这家网络安全公司表示。“涉及 Bumblebee 的攻击必须被视为关键，[...]并且该加载程序以勒索软件交付而闻名。”

我有三宝，持而保之：一曰慈，二曰俭，三曰不敢为天下先。

——《道德经.第六十七章》

本文翻译自：

https://thehackernews.com/2022/08/hackers-using-bumblebee-loader-to.html

如若转载，请注明原文地址

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）