BumbleBee Opens Exchange Servers in xHunt Spy Campaign

bumblebee xhunt web shell

The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands.

A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.

According to researchers at Palo Alto Networks’ Unit 42, BumbleBee (so named because of its color scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September.

“We found BumbleBee hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server, as well as on two internal IIS web servers at two other Kuwaiti organizations,” researchers explained in a Monday blog.

2020 Reader Survey: Share Your Feedback to Help Us Improve

Analysis showed that the attackers used VPN access to directly talk to BumbleBee, frequently switching between different VPN servers that appeared to be from different countries, including Belgium, Germany, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Sweden and the United Kingdom.

This hodgepodge approach was also borne out in the rotation of different operating systems and browsers, specifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1 or Linux systems, the firm found.

“We believe this is an attempt to evade detection and make analysis of the malicious activities more difficult,” Unit 42 researchers noted. “This [also] suggests the actor has access to multiple systems and uses this to make analysis of the activities more difficult, or that there are multiple actors involved, who have differing preferences for operating systems and browsers.”

BumbleBee was also used in lateral-movement efforts, running commands from the attackers to discover additional systems. And indeed, the researchers discovered additional BumbleBee webshells hosted on internal IIS web servers that are not connected to the internet at all three Kuwaiti organizations. The cyberattackers used SSH tunnels to interact with these, created using the PuTTY Link (Plink) tool.

“We observed the actor using Plink to create an SSH tunnel for TCP port 3389, which suggests that the actor used the tunnel to access the system using Remote Desktop Protocol (RDP),” researchers wrote. “We also observed the actor creating SSH tunnels to internal servers for TCP port 80, which suggests the actor used the tunnel to access internal IIS web servers. We believe that the actor accessed these additional internal IIS web servers to leverage file uploading functionality in internal web applications to install BumbleBee as a method of lateral movement.”

BumbleBee: Password Pollination

Looking deeper into the web shell, Unit 42 found that BumbleBee requires an attacker to supply one password to view the web shell, and a second password to interact with it.

“The actor must [first] provide a password in a URL parameter named parameter,” according to the firm. “Otherwise, the form used to interact with BumbleBee will not display in the browser. To check the supplied password for authentication, the web shell will generate an MD5 hash of the parameter value and check it with a hardcoded MD5 hash.”

Once the operators are able to access BumbleBee, it provides three main functionalities: Executing commands, and uploading and downloading files from the compromised server.

“To carry out any of these functions, the actor must supply a second password,” researchers wrote. “The BumbleBee web shell will generate an MD5 hash of the password and check it with a hardcoded MD5 hash before carrying out the functionality.”

BumbleBee, the Spy Bee

In looking at the IIS server logs and other logs from the Exchange server, the researchers were able to observe the HTTP POST requests generated when the attackers issued commands via BumbleBee.

After some additional analysis, researchers were able to piece together a fuller picture of what BumbleBee is specifically used for.

“The actor spent three hours and 37 minutes on Sept. 16, 2020, running commands via the BumbleBee web shell installed on the [first] compromised Exchange server,” according to the analysis.

The activities included performing network discovery using ping and net group commands, as well as PowerShell to find additional computers on the network; and, performing account discovery using the whoami and quser commands. The attackers also determined the system time using the W32tm and time commands; and created an SSH tunnel using Plink to a remote host and used RDP over that SSH tunnel to control the compromised computer. They also performed lateral movement to another system by mounting a shared folder; and, finally, they removed evidence of the attack by deleting BumbleBee after they were done issuing commands.

In addition to analyzing commands executed on the compromised Exchange server, Unit 42 also analyzed the commands executed on the BumbleBee web shell at an internal IIS web server hosted at one of the two other Kuwaiti organizations.

“On Sept. 10, 2020, we found that the actor ran several commands to perform network and user account discovery. Additionally, the actor used BumbleBee to upload a second web shell with a filename of cq.aspx. The actor used this second web shell to run a PowerShell script that issued SQL queries to a Microsoft SQL Server database.”

Ongoing Campaign

The the known xHunt threat group, which was first discovered in 2018 and has previously launched an array of attacks targeting the Kuwait government, as well as shipping and transportation organizations, has steadily updated its arsenal of tools, all in the service of spying on their targets.

The most recent campaign stretched back to February, when xHunt compromised an Exchange server via Outlook Web App using compromised credentials.

“The actor used the search functionality within Outlook Web App to search for email addresses, including searching for the domain name of the compromised Kuwaiti organization to get a full list of email addresses, as well as specific keywords, such as helpdesk,” researchers explained. “We also saw the actor viewing emails in the compromised account’s inbox, specifically emails from service providers and technology vendors. Additionally, the actor viewed alert emails from a Symantec product and Fortinet’s FortiWeb product.”

This searching for emails to the helpdesk and viewing security alert emails suggests that xHunt was keeping abreast of whether the Kuwaiti organization had noticed malicious activity.

“The attempts to conceal their location and the focus on viewing emails that might notify administrators of the compromised network of the attacker’s presence may explain how the actor was able to maintain a presence on the compromised network for many months,” the researchers noted.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.

Suggested articles