Cisco Umbrella

Enterprise network security

Cybersecurity Threat Spotlight

BlackCat Ransomware, ZingoStealer & BumbleBee Loader

Author avatar of Artsiom HolubArtsiom Holub
• 5 minute read
View blog >

This month, the Cisco Umbrella team – in conjunction with Talos – has witnessed the rise of complex cyberattacks. In today’s edition of the Cybersecurity Threat Spotlight, we unpack the tactics, techniques, and procedures used in these attacks.

Want to see how Cisco Umbrella can protect your network? Sign up for a free trial today!

BlackCat Ransomware

Threat Type: Ransomware

Attack Chain:

Graphic that shows the attack chain for BlackCat Ransomware. The attack chain is as follows: Initial Access to Defense Evasion to Persistence with Reverse SSH to Credential access to Lateral Movement to Command and Control to Data Exfiltration to BlackCat Ransomware. The graphic indicates that Cisco Secure protects users from Initial Access and Persistence With Reverse SSH.

Description: BlackCat – also known as “ALPHV”- is a ransomware which uses ransomware-as-a-service model and double ransom schema (encrypted files and stolen file disclosure). It first appeared in November 2021 and, since then, targeted companies have been hit across the globe.

BlackCat Spotlight: BlackCat ransomware has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. While it targets companies across the globe, more than 30% of the compromises happened to companies based in the U.S.

There is a connection between the BlackCat, BlackMatter and DarkSide ransomware groups, recently confirmed by the BlackCat representative. Attack kill chain follows the blueprint of other human-operated ransomware attacks: initial compromise, followed by an exploration and data exfiltration phase, then attack preparation and finally, the ransomware execution. The key aspect of such attacks is that adversaries take time exploring the environment and preparing it for a successful and broad attack before launching the ransomware. Some of the attacks took up to two weeks from the initial to final stage, so it is key to have capabilities to detect such activities to counter them.

Target Geolocations: U.S., Canada, EU, China, India, Philippines, Australia
Target Data: Sensitive Information, Browser Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for BlackCat

Initial Access:
Valid Accounts: Local Accounts

Discovery:
Account Discovery
System Information Discovery
Network Service Discovery
File and Directory Discovery
Security Software Discovery
ADrecon
Sofperfect Network Scanner

Persistence:
Scheduled Task
Image File Execution Options Injection
Reverse SSH Tunnel

Evasion:
Disable System Logs
Disable Endpoint Protection
Gmer

Credential Access:
OS Credential Dumping: LSASS Memory
Credentials from Password Stores: Credentials from Web Browsers

Command and Control:
Reverse SSH Tunnel
Impacket

Lateral Movement:
Lateral Tool Transfer
Impacket
Remote Services: SSH, RDP, Poershell, Psexec

Impact:
Group Policy
Netlogon Share
Data Encrypted for Impact
Inhibit System Recovery

IOCs

Domains:
windows[.]menu

IPs:
52.149.228[.]45
20.46.245[.]56

Additional Information:
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella

ZingoStealer

Threat Type: Information Stealer

Attack Chain:

Graphic that shows the attack chain of ZingoStealer, which is as follows: Trojanized Application Download to ZingoStealer Malware to Data Exfiltration to Command and Control to Additional Payloads. The graphic indicates that Cisco Secure products protect users from Trojanized Application Download, ZingoStealer Malware, Data Exfiltration and Command and Control.

Description: ZingoStealer is an information stealer released by a threat actor known as “Haskers Gang.” The malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration. The malware can exfiltrate sensitive information like credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims’ systems. ZingoStealer has the ability to download additional malware such as RedLine Stealer and the XMRig cryptocurrency mining malware.

ZingoStealer Spotlight: Cisco Talos recently observed a new information stealer, called “ZingoStealer” that has been released for free by a threat actor known as “Haskers Gang.” This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently. In many cases, ZingoStealer is being distributed under the guise of game cheats, cracks and code generators.

The stealer is an obfuscated .NET executable which downloads files providing core functionality an attacker-controlled server. The malware can exfiltrate sensitive information like credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims’ systems. The malware is also used as a loader for other malware payloads, such as RedLine Stealer and the XMRig cryptocurrency mining malware.

Target Geolocations: CIS
Target Data: User Credentials, Browser Data, Financial and Personal Information, Cryptocurrency Wallets, Data From Browser Extensions
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for ZingoStealer

Initial Access:
Trojanized Applications

Credential Access:
Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials
Credentials from Password Stores: Credentials from Web Browsers

Discovery:
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery

Persistence:
Registry Run Keys/Startup Folder
Scheduled Task/Job: Scheduled Task

Privilege Escalation:
N/A

Execution:
User Execution
Command and Scripting Interpreter: PowerShell

Evasion:
Obfuscated Files or Information

Collection:
Archive Collected Data: Archive via Utility
Data Staged: Local Data Staging

Command and Control:
Application Layer Protocol: Web Protocols

Exfiltration:
Exfiltration Over C2 Channel

IOCs

Domains:
nominally[.]ru

Additional Information:
Threat Spotlight: “Haskers Gang” Introduces New ZingoStealer

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

BumbleBee Loader

Threat Type: Loader

Attack Chain:

A graphic showing the attack chain of BumbleBee Loader, which is as follows: Malspam to Malicious URL or HTML Attachment to Download Malicious ISO File to Fingerprinting to BumbleBee Loader to Command and Control to CobaltStrike. The graphic indicates that Cisco Secure products protect users from malspam, malicious URL or HTML attachment, command and control, and Cobalt Strike.

Description: BumbleBee is a loader that has anti-virtualization checks and loader capabilities. The goal of the malware is to take a foothold in the compromised system to download and execute additional payloads. BumbleBee was observed to load Cobalt Strike, shellcode, Sliver and Meterpreter malware.

BumbleBee Spotlight: Security researchers noticed the appearance of the new malware being used by Initial Access Brokers, which previously relied on  BazaLoader and IcedID malware. Dubbed BumbleBee due to presence of unique User-Agent “bumblebee” in early campaigns, this malware appears to be in active development.

It already employs complex anti-virtualization techniques, as well as uses asynchronous procedure call (APC) injection to launch the shellcode and LOLBins to avoid detections. Delivery chain relies on user interaction to follow the links and open malicious ISO or IMG file. Loader achieves persistence via scheduled task which launches Visual Basic Script to load BumbleBee DLL. Afterwards, the execution malware communicates with the Command-and-Control server and downloads additional payloads such as Cobalt Strike, shellcode, Sliver and Meterpreter. Threat actors using such payloads have been linked to ransomware campaigns.

Target Geolocations: Canada, U.S., Japan
Target Data: N/A
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for BumbleBee

Initial Access:
Malspam

Persistence:
Scheduled Task/Job

Execution:
Scheduled Task/Job: Scheduled Task
Command and Scripting Interpreter: Virtual Basic
User Execution: Malicious File

Evasion:
System Binary Proxy Execution: Rundll32
Virtualization/Sandbox Evasion: System Checks
Process Injection: Asynchronous Procedure Call

Discovery:
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery

Collection:
N/A

Command and Control:
Application Layer Protocol

Exfiltration:
N/A

IOCs

Domains:
hxxps://www.transferxl[.]com/download/00zs2K2Njx25cf         hxxps://www.transferxl[.]com/download/00mP423PZy3Qb
hxxps://www.transferxl[.]com/download/00jmM0qhpgWydN  hxxps://www.transferxl[.]com/download/00jGC0dqWkf3hZ
hxxps://www.transferxl[.]com/download/00D6JXf66HJQV
hxxps://www.transferxl[.]com/download/006wWqw66ZHbP
hxxps://storage.googleapis[.]com/vke8rq4dfj4fej.appspot.com/sh/f/pub/m/0/fg6V6Rqf7gJNG.html

CS Domains:
hojimizeg[.]com
notixow[.]com
rewujisaf[.]com

IPs:
23.82.19[.]208
192.236.198[.]63
45.147.229[.]177

Additional Information:
This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming
Orion Threat Alert: Flight of the BumbleBee

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Additional Resources

Suggested Blogs