Trojan:Win32/Bumblebee frequently arrives disguised as a disk image file, such as ISO or IMG. Within the image file, a LNK file is embedded, serving as the trigger for running the malware.
To lure the user into interaction, the malware employs a specific LNK file named project details.lnk.
This LNK file directs a batch file that initiates the launch of a concealed DLL through the command:
start /b /min rundll32 aGySCShDWxUsAj.dll,LoadNode
Recent iterations of Trojan:Win32/Bumblebee may present themselves as ZIP archives, exploiting CVE-2023-38831 for code execution.
Upon launch, Trojan:Win32/Bumblebee conducts queries to gather various information from the device, including but not limited to:
- Computer name
- Operating system
- Username
- Domain name
- Network adapter configuration
- Hardware
- Running processes
- Selected registries and files
Certain gathered data is used to determine if the malware is operating in a virtualized or analytical environment, preventing further launch. Meanwhile, other information helps assess if the infected device is within a corporate environment.
Trojan:Win32/Bumblebee boasts several capabilities facilitating the loading of additional payloads, including:
- Injecting shellcode
- Downloading and running files
- Uninstalling the loader
- Adding persistence
- Executing shell commands
Moreover, Trojan:Win32/Bumblebee incorporates an encrypted configuration file containing a list of command-and-control servers for connecting back. However, more recent variants may use a domain generation algorithm.
