ioc[.]one - OSINT Cyber Threat Intelligence Database

BumbleBee a New Modular Backdoor Evolved From BookWorm

Tags

cmtmf-attack-pattern:	Application Layer Protocol Boot Or Logon Autostart Execution Develop Capabilities Process Injection
country:	China Taiwan
attack-pattern:	Data Direct Abuse Elevation Control Mechanism - T1626 Abuse Elevation Control Mechanism - T1548 Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Boot Or Logon Initialization Scripts - T1398 Bypass User Account Control - T1548.002 Create Or Modify System Process - T1543 Develop Capabilities - T1587 Dll Side-Loading - T1574.002 Encrypted Channel - T1521 Encrypted Channel - T1573 Environmental Keying - T1480.001 Execution Guardrails - T1480 Execution Guardrails - T1627 File Deletion - T1070.004 File Deletion - T1630.002 Gather Victim Host Information - T1592 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal On Host - T1630 Input Capture - T1417 Keylogging - T1056.001 Keylogging - T1417.001 Logon Script (Windows) - T1037.001 Malware - T1587.001 Malware - T1588.001 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Standard Encoding - T1132.001 Sudo And Sudo Caching - T1548.003 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Service - T1543.003 Tool - T1588.002 Standard Application Layer Protocol - T1071 Logon Scripts - T1037 Bypass User Account Control - T1088 Connection Proxy - T1090 Data Encoding - T1132 Dll Side-Loading - T1073 File Deletion - T1107 Indicator Removal On Host - T1070 Input Capture - T1056 Process Injection - T1055 Registry Run Keys / Start Folder - T1060 Rundll32 - T1085 Indicator Removal On Host

Show in Graph

Common Information

Type	Value
UUID	e8ff8d22-b86a-49fd-93de-2986d47b762e
Fingerprint	f51f1d5844b42f91
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 2, 2022, midnight
Added to db	Jan. 16, 2023, 5:01 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm
Title	BumbleBee a New Modular Backdoor Evolved From BookWorm
Detected Hints/Tags/Attributes	112/3/42

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_hk/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
Details	Source	https://www.trendmicro.com/en_nl/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
Details	Source	https://www.trendmicro.com/en_th/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
Details	Source	https://www.trendmicro.com/en_id/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
Details	Source	https://www.trendmicro.com/en_se/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
Details	Source	https://www.trendmicro.com/en_be/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html
Details	Source	https://www.trendmicro.com/en_ca/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	www.synolo.ns01.biz
Details	File	2	xcrsvr.exe
Details	File	2	xecureio_v20.dll
Details	File	3	launcher.dll
Details	File	7	kernel.dll
Details	File	3	installer.dll
Details	File	3	keylog.dll
Details	File	21	loader.dll
Details	File	2	slaver.dll
Details	File	3	bpu.dll
Details	File	1018	rundll32.exe
Details	File	2	slaver.exe
Details	File	13	win32.reg
Details	sha256	1	f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475
Details	sha256	2	ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0
Details	sha256	2	3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810
Details	sha256	1	eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0
Details	sha256	1	6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e
Details	sha256	1	4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee
Details	sha256	2	8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05
Details	sha256	1	515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3
Details	sha256	2	8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d
Details	IPv4	2	118.163.105.130
Details	MITRE ATT&CK Techniques	227	T1574.002
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	18	T1480.001
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	6	T1037.001
Details	MITRE ATT&CK Techniques	10	T1548.003
Details	MITRE ATT&CK Techniques	86	T1548.002
Details	MITRE ATT&CK Techniques	118	T1056.001
Details	MITRE ATT&CK Techniques	50	T1592
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	152	T1090
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	99	T1132.001
Details	MITRE ATT&CK Techniques	96	T1587.001
Details	Url	2	http://www.synolo.ns01.biz:80/update
Details	Url	2	http://118.163.105.130:80/update
Details	Windows Registry Key	8	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Details	Windows Registry Key	14	HKEY_CURRENT_USER\Environment