BumbleBee to deploy Meterpreter agent and Cobalt Strike beacons.
released on 2022-11-14 @ 09:11:49 AM
The DFIR Report team has released its latest post on an intrusion from May 2022. The threat actor used Bumblebee as the initial access vector from a Contact Forms campaign. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.