Introduction Last month, Google's Threat Analysis Group (TAG) reported on EXOTIC LILY using file transfer services like TransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware (link). Threat researchers like @k3dg3 occasionally report malware samples from this activity. Based on @k3dg3's recent tweet, I searched through VirusTotal and found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware. Today's diary reviews an infection generated from this activity on Wednesday 2022-05-18.
TransferXL URLs TransferXL is a legitimate file sharing service. However, like other services with a cost-free tier, TransferXL has been abused by criminals as a way to distribute malicious files. However, with TransferXL, we have the benefit of seeing an email address used to share the malicious file. The image below shows a malicious TransferXL URL recently submitted to VirusTotal. Viewed in a web browser, it sends a malicious file. The associated email address is jhurris@wolsleyindustrialgroup.com.
The downloaded zip archive contains an ISO disk image. When double-clicked, this file is mounted as a DVD drive. The ISO file contains a visible Windows shortcut and a hidden malware DLL for Bumblebee. Double-clicking the Windows shortcut will run the hidden malware DLL on a vulnerable Windows host.
Traffic from an infection After downloading malware from the malicious TransferXL URL, the infected host generated Bumblebee C2 traffic to 194.135.33[.]144 over TCP port 443.
Approximately 15 minutes after the Bumblebee C2 traffic first appeared, the infected Windows host generated HTTPS traffic to ec2-3-144-143-232-us-east-2.compute.amazonaws[.]com on 3.144.143[.]242 over TCP port 443. The infected host sent approximately 5.5 MB of data out and received approximately 4.0 MB of data back from that server.
Approximately 14 minutes after HTTPS traffic to the amazonAWS server, HTTPS Cobalt Strike traffic appeared on 23.106.215[.]123 over TCP port 443 using xenilik[.]com as the domain. It lasted approximately 3 minutes.
Indicators of Compromise (IOCs) TransferXL URLs associated with the above email returning zip archives containing malicious ISO files.
NOTE: The above URLs usually have ?utm_source=downloadmail&utm_medium=e-mail appended to them. Email addresses associated with malicious TransferXL URLs:
Domains from the above emails:
Malware from an infected Windows host: SHA256 hash: 1ec8c7e21090fb4c667f40c8720388a89789c569169fe0e41ec81567df499aac
SHA256 hash: 24aa82e1a085412686af5d178810fc0d056c5b8167ae5b88973b33071aa14569
SHA256 hash: ade875616534b755f33f6012ea263da808dd7eb50bc903fc97722f37fac7c164
SHA256 hash: 88c07354f1d7b0485452d5c39dc1a6d73884e163bc5489c40adc6662602b4d76
Traffic from the infected Windows host:
Final words As the Google TAG blog post notes, EXOTIC LILY is using this method to push Bumblebee malware, and Bumblebee leads to further malware like Cobalt Strike. And Cobalt Strike has been documented by different sources as leading to ransomware. Today's diary reviewed a Bumblebee malware infection associated with EXOTIC LILY that led to Cobalt Strike activity. Pcap and malware samples associated with this infection are available here. --- |
Brad 435 Posts ISC Handler May 20th 2022 |
Thread locked Subscribe |
May 20th 2022 1 month ago |
Hi Brad,
Good analysis as always. Quick feedback: you have mentioned "194.135.33[.]134" as a C2 in the article but the network traffic image and the IoC shows it as "194.135.33[.]144". |
Anonymous |
Quote |
May 19th 2022 1 month ago |
Thanks for the heads-up! I corrected that typo. Fortunately, it was listed correctly in the IOCs list. Thanks again!
|
Brad 435 Posts ISC Handler |
Quote |
May 20th 2022 1 month ago |
Hi Brad,
Anything new against Bumblebee? Trending this for official use case. Thanks in advance! |
Anonymous |
Reply Quote |
Jun 13th 2022 2 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!