Introduction
Last month, Google’s Threat Analysis Group (TAG) reported on EXOTIC LILY using file transfer services like TransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware (link). Threat researchers like @k3dg3 occasionally report malware samples from this activity. Based on @k3dg3’s recent tweet, I searched through VirusTotal and found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware.
Today’s diary reviews an infection generated from this activity on Wednesday 2022-05-18.
Shown above: Flow chart for infection discussed in this diary.
TransferXL URLs
TransferXL is a legitimate file sharing service. However, like other services with a cost-free tier, TransferXL has been abused by criminals as a way to distribute malicious files. However, with TransferXL, we have the benefit of seeing an email address used to share the malicious file. The image below shows a malicious TransferXL URL recently submitted to VirusTotal. Viewed in a web browser, it sends a malicious file. The associated email address is jhurris@wolsleyindustrialgroup.com.
Shown above: Malicious TransferXL URL delivering malware.
The downloaded zip archive contains an ISO disk image. When double-clicked, this file is mounted as a DVD drive. The ISO file contains a visible Windows shortcut and a hidden malware DLL for Bumblebee. Double-clicking the Windows shortcut will run the hidden malware DLL on a vulnerable Windows host.
Shown above: Downloaded ISO file mounted as a disk image containing Windows shortcut and hidden malware DLL.
Traffic from an infection
After downloading malware from the malicious TransferXL URL, the infected host generated Bumblebee C2 traffic
Read more