The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection

PART 1

The Hook: Unpacking the bumblebee’s crypter

Bumblebee dropper as seen in PEstudio
Bumblebee dropper exports and internal name in PE-Bear

Unpacking mechanism

Bumblebee loader\crypter main
Bumblebee loader unexplored bytes
Disabling ASLR
Changing the address
Bumblebee SetPath
Bumblebee loader\crypter main
Bumblebee loader\crypter main
Bumblebee loader\crypter main
Bumblebee loader payload decryption
Bumblebee loader payload decryption
Bumblebee loader payload decrypted in process hacker

Enters the hook

Bumblebee loader payload decryption
Assign functions to addresses
Getting NT functions
Getting NT functions
Setting hook
Hooked NT functions
View hooks using hollow hunter
View hooks using hollow hunter
Bumblebee loader install hook mechanism

Executing the code

Bumblebee loader\crypter main
LoadLibrary loading GdiPlus.dll
LoadLibrary loading GdiPlus.dll
Hooked NtMapViewOfSection mechanism
Relocated module point to RWX section

Bumblebee dropper high lever summary

Bumblebee dropper overview

PART 2

The bee: Investigating the bumblebee’s payload

Unpacked Bumblebee payload

Stolen anti-analysis code

Searching for processes in Bumblebee
al-khaser source code
Searching for Vmware processes in Bumblebee
Searching for Vmware registry key in Bumblebee
Searching for VBOX files in Bumblebee

Executing processes

Executing Wscript
Executing PowerShell

The little ones inside the flask

Two hidden DLL files inside the unpacked Bumblebee
Bumblebee hooking DLL aka RapportGP.dll

PART 3: The shadow of Trickbot- Investigating the hooking DLL

Check for existing hooks

1. RapportGP.dll checking and disabling existing hooks
RapportGP.dll list of Ntdll functions to check
RapportGP.dll list of Kernel32 functions to check
RapportGP.dll list of Kernelbase functions to check
RapportGP.dll list of Advapi32 functions to check
2. RapportGP.dll checking and disabling existing hooks
3. RapportGP.dll checking and disabling existing hooks
4. RapportGP.dll checking and disabling existing hooks
5. RapportGP.dll checking and disabling existing hooks
6. RapportGP.dll checking and disabling existing hooks
7. RapportGP.dll checking and disabling existing hooks
8. RapportGP.dll checking and disabling existing hooks
9. RapportGP.dll checking and disabling existing hooks
10. RapportGP.dll checking and disabling existing hooks

Setting the hooks

First hooks: Disable Exceptions

RapportGP.dll hooks to disable exceptions

Second hooks: Further code execution

RapportGP.dll second hooks
RapportGP.dll second hooks

The Trickbot hooking engine

Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module
Trickbot’s web-inject module evasion technique
Bumblebee’s RapportGP.dll evasion technique
Bumblebee’s RapportGP.dll evasion technique

Static differences and code evolution

Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module install hook functions
Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module- same functionality, different flow
Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module- same functionality, different flow
Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module-Bindiff

Additional similarities

Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module- same functionality, a different approach
Bumblebee’s RapportGP.dll vs Trickbot’s web-inject module

Customize flattened RC4

Custom RC4 with CFF obfuscation

RapportGP.dll High-level summary

RapportGP.dll overall activity

Conclusion

References

IOC

Malware Researcher & Threat Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

UIDAI Authentication data analysis

Encryption Pioneer Aims to End Our Data Dilemma With Cryptography’s Holy Grail

BetaFarm token offering is live !

Happy new #chinese #year 🎉 Xin Nian Kuai Le #新年快樂 🐯

Write-up: CORS vulnerability with trusted null origin @ PortSwigger Academy

Announcement of LBank Launches LEAD Trading Contest to Share 3,500,000 LEAD

Security Engineering Manifesto

Is Leaving Crypto In Exchange Safe?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store