Hide Navigation Hide TOC

Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2