BumbleBee Webshell Description
The xHunt threatening campaign is not only still ongoing, but infosec researchers are detecting new malware tools being deployed by the hackers. The latest one unearthed by the experts at Palo Alto Networks is called BumbleBee Webshell. The attackers used this particular tool as part of the compromise of a Microsoft Exchange server belonging to a Kuwaiti organization. Furthermore, the BubleBee Webshell also was detected inside the internal IIS (Internet Information Services) servers of two different Kuwaiti organizations, as well as the one that owned the compromised Exchange server.
To contact BumbleBee Webshell on servers opened to the Internet, the hackers used VPNs (Virtual Private Networks) provided by Private Internet access. Thanks to this method, the attackers were capable of changing their IP address, making it appear as if the connection originated from various, different countries, including Sweden, Belgium, Germany, Italy, Ireland, the Netherlands, Portugal, Luxembourg, Poland and the United Kingdom. At the same time, the cybercriminals switched between different operating systems - Windows 10, Windows 8.1, and Linux, and different Web browsers - Mozilla Firefox and Google Chrome. The goal is to hamper any attempts for detection and to make analysis that much harder.
The BumbleBee Webshell is a Threatening Malware
To access the BumbleBee Webshell on the internal IIS Web servers, which are not accessible from the Internet directly, the threat actor established SSH tunnels. Evidence suggests that through the PuTTY Link (Plink) tool, the hackers created SSH tunnels that served as a connection to the compromised network's internal services.
To fully deploy the BumbleBee Webshell and initiate its functionality, two passwords have to be provided. The first one is needed to simply view the webshell, while the second is required to interact with it. BumbleBee recognized three commands in total, but they are more than enough to conduct a variety of threatening operations:
- Execute arbitrary commands through cmd/c
- Upload files to a specific folder on the attacker's server
- Download additional files from the server
Analysis of the activity on the three compromised servers revealed that the attackers run commands to discover user account credentials, as well as other systems connected to the same internal network. At the same time, the BumbleBee Webshell could also be leveraged for lateral movement with the victim's network.