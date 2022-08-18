Ramnit is an older malware that originated in 2010 as a worm and swiftly evolved into a modular backdoor and banking trojan. Ramnit spread prolifically over the next few years, growing into a botnet with several million systems infected worldwide until it was subject to a takedown by Europol in early 2015. The impact of the takedown did not last long and by the end of 2015 Ramnit returned and was once again in active development. The malware struggled to regain its previous momentum, however, and the following years were characterised by campaigns of activity followed by periods of quiet.

A notable development occurred in mid-2018, when Ramnit relaunched, infecting 100,000 devices in two months, and demonstrating significant code updates. This included the addition of new loader modules which made extensive use of a custom hooking library for both payload execution and AV evasion; web injects were updated from Zeus-style to Lua-style; and a new name ‘Camellia’ appeared, replacing the original ‘Demetra’ designation. The reason for this overhaul is unknown, but some researchers noted that the code style had changed and speculated that it may have new developers.

Ramnit went through another quieter period during 2019 and 2020, with no significant developments observed. Then in early 2021, new Ramnit samples were observed using the internal name ‘hooker2.dll’, which matched several of the samples observed during Ramnit’s resurgence in August 2018. The sample code was similar to its 2018 counterparts but had gone through several updates, which included the addition of the OpenSSL library.

In August 2021, X-Force spotted a new malware that we shall now refer to as ‘Bumblebee Beta’ being deployed during a campaign exploiting the CVE-2021-4044 Microsoft Office vulnerability. This activity was attributed to the initial access broker “Exotic Lily”, which X-Force tracks as Hive0110, and who have previously distributed BazarLoader. This new malware primarily operated as a downloader and was capable of receiving payloads, such as Cobalt Strike, from the C2, which it would inject into a process randomly chosen from a hardcoded list. It was notable for using the user-agent string ‘bumblebee‘, which overlaps with the full version and is how the malware’s eventual name was derived. During our analysis at the time, we observed a number of significant code overlaps with Ramnit, including identical lists of inject targets, similar hooking and unhooking code, use of the OpenSSL library and the presence of two unused intermediary loader binaries stored in the malware data section, which were almost identical to those used in the 2018 and 2021 variants of Ramnit.

In March 2022, the full version of Bumblebee was released and quickly used in a number of large scale campaigns by distribution affiliates of threat group ITG23 (also known as the Trickbot/Conti group), such as Exotic Lily, TA579, and TA578 (tracked by X-Force as Hive0107). The malware appeared to be being used as a replacement for ITG23’s BazarLoader which had not been seen since February and has been observed downloading payloads including Cobalt Strike, Sliver, and Meterpreter. Bumblebee has also since been linked to ransomware operations involving Conti and MountLocker/Quantum.

Bumblebee had received several updates over the prior six months and now has full C2 communication and task functionality implemented, as well as the inclusion of anti-AV and anti-analysis code. It is capable of gathering system information, installing itself for persistence, and receiving and loading payloads including DLLs and shellcode. The previously unused intermediary loader binaries, observed in Bumblebee Beta, are now used as part of the fully implemented payload injection process.

Bumblebee still bears significant resemblance to Ramnit and in addition to the previously mentioned similarities, such as the inject and hooking functionality, Bumblebee was also found to contain the string ‘Z:\hooker2\Common\md5.cpp‘ suggesting it may have used code from a project called ‘hooker2‘ which is the internal name used in several of the 2018 and 2021 Ramnit samples. An identical string was also then found in a 2021 Ramnit sample.