Use the CRI to assess your organization’s preparedness against attacks, and get a snapshot of cyber risk across organizations globally.
Content added to Folio
Malware
In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities.
By: Vickie Su, Ted Lee, Nick Dai Read time: ( words)
Save to Folio
Updated on Sept. 6, 2022, at 11:55 p.m. ET to clarify the reason behind the naming of this BumbleeBee malware.
Updated on Sept. 2, 2022, at 9:55 p.m. ET to clarify the difference between this BumbleBee malware and the Bumblebee ransomware loader.
In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.
We called it “BumbleBee” since the developer of this tool originally named it as such (“bumblebee” in Chinese: 大黄蜂).
Our analysis found that BumbleBee only had little malicious code in its payload, and what it does on the surface is track keys and clipboard content. However, further investigation revealed a controller application that expands the malware’s capabilities.
This type of backdoor is similar to another of its kind called BookWorm, in which it can be inferred that BumbleBee is a refactored version of BookWorm. At the time of writing, BumbleBee has only been deployed in Taiwan; together with its use of Simplified Chinese as the language for its user interface, this malware can be suspected to be deployed by malicious Chinese actors. This blog will tackle BumbleBee’s capabilities and our analysis of this backdoor. It’s important to note that this BumbleBee malware family is different from the Bumblebee loader, a loader malware that is used by ransomware groups to drop backdoors to gain access to corporate networks.
BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malware’s jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.
Layered deployment – client application
We have encountered the client application in a security breach incident. Its unique “layer-in-layer” architecture caught our attention. The module has a self-extracted file that contains three main parts: a legitimate executable (XcrSvr.exe), side-loaded DLL (XecureIO_v20.dll) and the shellcode binary file (ore) in the file system to execute the legitimate executable.
XCrSvr.exe is the executable in the XecureVistaCryptoSvr module developed by SoftForum. This file is exploited to launch the side-loaded DLL, XecureIO_v20.dll, which will work as the next-stage loader that executes the shellcode “ore,” which is the main component in this backdoor. This shellcode contains multiple modules of its own (shown in Table 1). Each module has corresponding 32-bit and 64-bit versions of binaries in the shellcode except for launcher.dll.
Table 1. BumbleBee’s modules
If a victim is compromised for the first time, launcher.dll loads and launches all the other modules. The installer modules will be responsible for the installation and establishing persistence on the compromised machine via the following steps:
Notably, as XecureIO_v20.dll is loaded by XcrSvr.exe, it will check if the parent process is “XcrSvr.exe.” If so, it will patch the entry point of XcrSvr.exe with a long jump instruction to direct execution flow to the malicious code.
Based on our analysis, we think the reason is that the malicious code embedded in XecureIO_v20 will not run if it followed the normal execution flow of XCrSvr.exe. Hence, once XecureIO_v20.dll is loaded by XCrSvr.exe, it will patch the entry point of XCrSvr.exe and jump to the address of the malicious code to make sure the code can be executed properly.
After the client is installed and the persistence is established, the loader, XecureIO_v20.dll, will retrieve the value of “ProductID” from the registry key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerRegistration” and use it as the key to decrypt the encrypted payload (the file “bin”) dropped in the first installation. Using the information on the compromised machine as a key to encrypt the payload makes it much more difficult for analysts to decrypt and debug the malware in the analysis environment.
Table 2. Payload file names
Expanded control – server application
Due to BumbleBee’s complex client application, it took some time for us to fully analyze its functionality. While doing so, we ran across the server application of the malware that acts as a controller. This provided us with further understanding on how BumbleBee works.
As the client application is running on the infected device, it will communicate with the server application and show the information of the machine it is in. Details, such as computer name, external IP address, geographic location, OS, CPU, and memory, are collected by the client application.
Based on the options in the server application shown in Figure 7, we can determine that it supports the following functions for controlling the compromised machine:
Table 3. Supported functions
BumbleBee’s modular framework allowed it to embed a small amount of malicious code that involves stealing keystrokes and clipboard content in the client’s shellcode. However, it could expand its capabilities through its server application by loading additional modules. This design proves that BumbleBee is flexible, allowing its developers to focus on the development of additional modules instead of having to rebuild the malware itself. Its structure could also reduce the risk of exposing itself to analysts and their own modules for comparison.
BumbleBee communicates over the HTTP protocol. It first creates an HTTP request that acts as a network beacon to notify the command and control (C&C) server. The POST request with the following URL, http://<C&C server>/update/, is the initial network beacon. The client application will send information of the compromised machine, which is encrypted by RC4 (see Figure 8 and Figure 9) once the first connection is established successfully. All other communication traffic, except for the victim information, are encrypted between server and client applications using the RC4 and compressed by LZO (Lempel–Ziv–Oberhumer) algorithm.
To make sure the received payload is correct, BumbleBee adopts a CRC32 checksum with reversed-presentation mode to verify the received data. For the CRC32 calculation, a self-defined value, ”20200105” is used as the initial value (typically, the value is 0xffffffff) for checksum calculation.
During the investigation, we found that BumbleBee adopted several techniques for persistence. It will use different techniques depending on the configuration. Here are the techniques adopted by the BumbleBee sample we found:
Due to the unique modular structure and installation procedures, we started to work on a literature review to clarify if it is an exclusive tool used by a certain threat actor. We found a similar backdoor, “BookWorm,” revealed by Palo Alto in 2015. They share the following features:
We think BumbleBee is likely to be the refactored BookWorm backdoor. They have similar tactics, techniques, and procedures (TTPs), unique encryption approach, and similar target sectors. According to the language (Simplified Chinese) shown in server application, we suspect that the origins and developers of BumbleBee may be in China and of Chinese descent.
Since BumbleBee and Bookworm share the same features, BumbleBee is likely a refactored form of the latter. Focusing on Asian local government targets, all signs point to a suspect linked to a Chinese hacker group.
BumbleBee, being a modular framework, is not only flexible but sophisticated as it will require analysts to investigate its structure and behavior. Another aspect of having a modular framework is that they can just keep developing additional modules since it can easily be integrated with the current version of said malware.
With its modular capabilities, the threat may deploy additional modules that may prove dangerous. Thus, an advanced layer of protection and quick detection is needed to prevent the backdoor from taking root in the system. Trend Micro Vision One™ offers both within different entry points of a backdoor.
Trojan.Win32.MULTICOM.ZTIC
Trojan.Win32.REGLOAD.ZTI
Backdoor.Win32.BUMBLEB.ZTIC
C&C:
· http[:]//www[.]synolo[.]ns01[.]biz:80/update
· http[:]//118[.]163[.]105[.]130:80/update
Vickie Su
Threats Analyst
Ted Lee
Threat Researcher
Nick Dai
Sr. Threat Researcher