Both Bumblebee and IcedID serve as loaders, acting as vectors for other malware on infected computers, including ransomware. A recent report from Proofpoint highlighted IcedID’s abandonment of bank fraud features in order to focus solely on malware delivery.
Bumblebee and IcedID malware
Bumblebee is a malware loader first discovered in March 2022. It was associated with Conti group and was being used as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including ransomware.
IcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at least 2017 and has recently been observing shifting some of its focus to malware delivery.
The malware contains comments in Russian, raising the possibility of a continued partnership between the e-crime groups.
- Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware
- PindOS contains comments in Russian, raising the possibility of a continued partnership between the e-crime groups
When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe. If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe.
The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat. The DLL payload is slightly different from the one previously encountered. Dynamically, it is very similar, with the addition of a few layers of obfuscation.
- Network Artifact
- Bumblebee infection URLs
- Bumblebee .JS dropper SHA256
- Bumblebee DLL payload SHA256
- IcedID infection URLs
- IcedID .JS dropper SHA256
- IcedID DLL payload SHA256