Introduction
Bumblebee is a downloader malware which has become known for its sophistication and effectiveness. The malware was first discovered in 2022 and was believed to be a tool for ransomware groups due to the developer’s close ties with Conti. Since then, it has been used in various attacks and has been delivered through multiple methods, including phishing emails, malicious documents, and SEO poisoning.
Cyjax has identified one such campaign which used a series of fake download sites to target users of the Bing search engine. This report will explore how the campaign operates and the developments of this specific attack.
Technical Analysis
Within this newly identified campaign, Bumblebee has been delivered through a series of fake download websites for software packages. Currently, two packages called WinMTR and Milestone XProtect have been identified as targets of the attack. WinMTR is an open-source tool which provides a visual interface to a version of Matt’s traceroute. This is a program which combines the functions of traceroute and ping. Milestone XProtect is a video management software which allows centralised control of video surveillance systems. In both cases, the threat actor created legitimate appearing sites to host the malicious downloader and registered domains which were similar to the original one. This can be seen in the table in Figure 1.
| Legitimate Domain | Malicious Domain |
| www.milestonesys[.]com | www.milestonesys[.]org |
| www.winmtr[.]net | www.winmtr[.]org |
Figure 1 – Domain typosquatting examples.
This specific campaign appears to target users of the Bing search engine, relying on SEO poisoning techniques to get malicious sites to the top of the search results. As can be seen in Figure 2 and Figure 3, searches for “WinMTR download” and “Milestone XProtect download” show that the malicious sites appear as the top result below the panel generated by Bing.
Both sites are hosted on the same server owned by Truehost Cloud in Nairobi. Going directly to both sites load what appears to be a template website, with a number of assets and links still redirecting to the service “LDAP Administrator”.
Figure 4 – Page contents of winmtr[.]org.
As seen in Figure 4, it is likely that this template site is being used to generate SEO for the tool and as a vague cover, so the site does not become suspicious to visitors. When visiting the site through the link provided in the Bing search engine, the legitimate WinMTR download site is shown, as highlighted in Figure 5.
Figure 5 – Page contents of winmtr[.]org after visiting via Bing refer link.
The page is an exact copy, and the only change is that an MSI file is used for the latest version instead of a ZIP. This MSI file is the Trojanised installer which delivers the Bumblebee malware to victims once executed.
The file itself is not hosted locally on the same page. Instead, both sites reference an external domain called “software-server[.]online”, which hosts the malicious MSI files. A request is made to a page titled “Get” during download, with a parameter to specify which Trojanised software package to deliver. Currently, the two observed examples include WinMTR and Milestone_XProtect. However, this does suggest that there may be more available.
The installer is then installed using msiexec.exe, which delivers both the legitimate winmtr.exe executable, icardagt.exe, and a malicious DLL titled version.dll. Both the second executable and malicious DLL are responsible for delivering the malware, with icardagt.exe being used to load the malicious library. The executable appears to be a legitimate Windows binary; however, it is important to note that the certificate used to sign the executable expired on 22 January 2010. The breakdown of the execution flow can be seen below in Figure 6.
Figure 6 – Bumblebee execution flow.
After the malware is executed, it begins to connect to a number of known Bumblebee C2 domains. A series of C2 URLs have been identified, each taking the form of a 13-character string followed by the ‘.life’ top-level domain (TLD).
These C2 domains have been linked to a shared Bumblebee sample, in which a similar MSI file was delivered under the name RVTools.msi. This sample was also delivered through a similar delivery domain called “soft-server[.]online”, which is hosted on the same US-based server. This suggests that the threat actor responsible for this campaign has likely pivoted and further developed it to target more software packages through SEO poisoning.
Conclusions
Overall, this campaign highlights a clear targeting of software packages through a sophisticated and highly effective Bing SEO poisoning campaign. From analysing the software both across this and previous campaign, there is a common targeting of lesser-known tools used within technical development environments. This presents a unique target and because of Bumblebee’s ability to deliver additional malware, it is likely that these kind of privileged developer environments present an ideal environment for further attacks or information theft.
When comparing this to a previous Bumblebee SEO poisoning campaign in 2023, the malware was delivered through Trojanised Zoom, Cisco AnyConnect, and ChatGPT installers. This new campaign highlights a significant shift in tactics, as the threat actor has pivoted to target more obscure software installation packages which victims may not easily be able to verify the legitimacy of.
The effectiveness of the SEO poisoning on Bing’s search results highlights the importance of validating files before installing them. With both malicious packages appearing at the top, users cannot solely rely on search results ranking to provide legitimate software packages. It is because of this that users should regularly check other browsers or find a reputable third-party source to cross reference the legitimacy of the source.
Tactics Techniques and Procedures
| Tactic | Technique | ID |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 |
| ~ | Stage Capabilities: SEO Poisoning | T1608.006 |
| ~ | Stage Capabilities: Upload Malware | T1608.001 |
| Initial Access | Drive-by Compromise | T1189 |
| Execution | User Execution | T1204 |
| ~ | User Execution: Malicious File | T1204.002 |
| Defence Evasion | Masquerading | T1036 |
| ~ | Masquerading: Match Legitimate Name or Location | T1036.005 |
| ~ | System Binary Proxy: Msiexec | T1218.007 |
| ~ | DLL Side-Loading | T1574.001 |
Indicators of Compromise
Phishing Sites:
- winmtr[.]org
- milestonesys[.]org
Download Site:
- software-server[.]online
Bumblebee C2 Domains:
- 19ak90ckxyjxc[.]life
- o2u1xbm9xoq4p[.]life
- 9b10t4vyvx6b5[.]life
- 9nl2a1qma4swd[.]life
- gc9fctjq62t2e[.]life
- apsgw881ol7rs[.]life
- rmqa3jodwcmgd[.]life
- 85ur7zivhczam[.]life
- evzftxl2qjfj4[.]life
- cp2br7osw928r[.]life
- lhunevjdxw5kz[.]life
- jbrprj8im7aia[.]life
- rdg0u5n7237r5[.]life
- xwn7sukhzhbqv[.]life
- j34duklow92k3[.]life
- u8karkeeu2qtj[.]life
- 8vh7uizstjhnb[.]life
- inkja7hekgcuv[.]life
- 8sg769rvpe1lp[.]life
- r4a4n001s7uhi[.]life
- r976ptnxbh52l[.]life
- tv9jc206cpnyd[.]life
- xf30997j6tp8z[.]life
- nl2jkkuqs8efp[.]life
- 5395dg0j4h79n[.]life
- oknzqkp6ph302[.]life
- v30ty639krk3p[.]life
- ey9n44bwtmjaw[.]life
- rlq13ng659buz[.]life
- 9vgvnzk51j1sy[.]life
- trtiqjiry7k05[.]life
- wi88w99xo9zlt[.]life
- 7oo4hxt5haih5[.]life
- hoieva2gl9tzx[.]life
- ey8axyn00x8sf[.]life
- kks80hyrpbmuz[.]life
- zom3rkt078g1k[.]life
version.dll
- a67fa1a060c07934c3de8612aaa0ebc2
- d1c5b38d3d91f925b16d616c1c9d3e05542f025d
- 96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770
WinMTR.msi:
- 28c0caed1c9c242f60c8e0884ccbf976
- 0e6abeb79a84fc3e7683c5439607c8a17ef6ae77
- 31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32
Milestone_XProtect.msi
- ea966dbfdd3f777727c827719e668f94
- 3437f8372c7d455085d24460147f27f6e2c009f5
- c6d5d2fff2cc422aca6dd5538f8351b8f2107a07a0df1f3ad8d69b050951ca1e
Receive our latest cyber intelligence insights delivered directly to your inbox
Simply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber intelligence insights and news.