A recent study has revealed that JavaScript-based droppers are being used to distribute Bumblebee and IcedID malware, instead of the traditional PowerShell-based droppers. These two types of malware are widely associated with ransomware attacks.
Bumblebee is a modular loader that is primarily distributed through phishing campaigns. It is used to deliver payloads that are commonly associated with ransomware deployments. On the other hand, IcedID is a modular banking trojan that targets user financial information. It can also act as a dropper for other types of malware. This trojan uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions.
The shift from PowerShell-based droppers to JavaScript-based droppers, as well as the transition of IcedID from a banking trojan to a malware loader, demonstrates how threat actors continuously adapt their techniques to evade detection.
In a recent technical analysis conducted by Deep Instinct’s Threat Research Lab, it was discovered that the JavaScript dropper, named PindOS, contains comments in Russian. Furthermore, it utilizes a unique user-agent string called “PindOS,” which may be a reference to the anti-American sentiment prevalent in Russia.
The PindOS dropper consists of a single function called “exec,” which takes four parameters. These parameters include the user-agent string to be used when downloading Bumblebee’s DLL, as well as the URLs from which the payload should be downloaded. When executed, the dropper attempts to download the payload from the specified URLs and execute it using either rundll32.exe or a combination of PowerShell and rundll32.exe. The downloaded payload is then saved to a specific location on the infected system.
The analysis also revealed that the new variant of Bumblebee shares similarities with the older version, such as the presence of a main function called “set path.” However, the new variant has four main export functions, whereas the older version only had two. This change suggests that the threat actors behind Bumblebee are continuously updating and evolving their malware.
Additionally, the new variant of Bumblebee includes “legitimate-looking” strings taken from the open-source FFmpeg project’s files. These strings are used as a distraction technique to make the malware appear more benign.
It is important for security teams to be aware of the indicators of compromise (IOCs) associated with Bumblebee and IcedID. Deep Instinct has provided updated IOCs on their GitHub page to assist in detecting and mitigating these threats.
Some of the IOCs for the Bumblebee dropper and payload include SHA256 hashes for specific files. Similarly, the IOCs for the IcedID dropper and payload also include SHA256 hashes.
By staying informed about the latest malware trends and understanding the tactics employed by threat actors, security teams can better protect their systems and networks from potential attacks. It is crucial to implement robust security measures and regularly update them to stay one step ahead of the evolving threat landscape.