Bumblebee Malware from TransferXL URLs, (Thu, May 19th)


Last month, Google’s Threat Analysis Group (TAG) reported on EXOTIC LILY using file transfer services like TransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware (link).  Threat researchers like @k3dg3 occasionally report malware samples from this activity.  Based on @k3dg3’s recent tweet, I searched through VirusTotal and found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware.

Today’s diary reviews an infection generated from this activity on Wednesday 2022-05-18.

Shown above:  Flow chart for infection discussed in this diary.

TransferXL URLs

TransferXL is a legitimate file sharing service.  However, like other services with a cost-free tier, TransferXL has been abused by criminals as a way to distribute malicious files.  However, with TransferXL, we have the benefit of seeing an email address used to share the malicious file.  The image below shows a malicious TransferXL URL recently submitted to VirusTotal.  Viewed in a web browser, it sends a malicious file.  The associated email address is jhurris@wolsleyindustrialgroup.com.

Shown above:  Malicious TransferXL URL delivering malware.

The downloaded zip archive contains an ISO disk image.  When double-clicked, this file is mounted as a DVD drive.  The ISO file contains a visible Windows shortcut and a hidden malware DLL for Bumblebee.  Double-clicking the Windows shortcut will run the hidden malware DLL on a vulnerable Windows host.

Shown above:  Downloaded ISO file mounted as a disk image containing Windows shortcut and hidden malware DLL.

Traffic from an infection

After downloading malware from the malicious TransferXL URL, the infected host generated Bumblebee C2 traffic

Read more

Explore the site

More from the blog

Latest News