Cyble researchers discovered that the Bumblebee malware loader has been updated with a novel PowerSploit framework-based infection chain aimed at improving the stealth of reflective DLL payload injections to memory, according to BleepingComputer.
Victims of the new Bumblebee attack were sent emails with a password-protected Virtual Hard Disk file, instead of ISO files, with an LNK shortcut file for payload execution, the report found. The findings also showed that the LNK executes the "imagedata.ps1" file that triggers a PowerShell window, instead of directly executing Bumblebee. Base64 has been used to obfuscate the SP1 script in an effort to bypass detection. Similar obfuscation has been observed in the second stage, which involves the PowerSploit module for loading the 64-bit "LdrAddx64.dll" malware, according to researchers.
"PowerSploit is an open-source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system," researchers added.