Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Among the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim. Projector Libra has been reported as an initial access broker with ties to Conti ransomware.
Projector Libra's malware is distributed through email campaigns. To start the contact, the group sends an innocent message with a word or phrase from a dictionary. For example:
"What do you think of T-Shirt? I have one for sale", "Hi, I'm new here", "You seem like a nice person. You interested in joining my team?"
Once the victim replies to these messages or contacts Projector Libra directly, they are directed to a fake Office 365 login screen.
The fake login page is hosted on a compromised site and includes two ZIP files. One ZIP file is an executable that makes the victim's machine vulnerable. The second ZIP file contains the contents of the real Office 365 login screen to avoid raising suspicion.
Finally, Projector Libra sends a message to inform victims that they need to update their Office 365 software before logging in again. This message is sent from an impersonated Gmail account. Once logged into the compromised Office 365 email account, malicious code is uploaded and executed on the victim's machine.
The payload of Projector Libra's malware includes three stages: a dropper, a downloader and ransomware. The first stage, the dropper, is downloaded from a compromised site and installed in the victim's machine.
The second stage is a downloader that uses an obfuscated URL to download the final stage – ransomware. The exe file file downloaded by the second stage contains two files: CommandLineAnalyzer-Lite.exe and CommandLineAnalyzer-Lite_setup.exe . This method resembles Conti but there are differences in terms of behaviors and command line structures. The most notable difference is that Projector Libra does not use CryptoWall 3.0.1 or any known encryptor, unlike Conti.
The ransomware delivered by Projector Libra uses the same method to attempt to encrypt the victim's files as Kasidet but it is not clear whether these two ransomware families are related. This ransomware also employs a .vbs file that contains encoded information about the compromised machine and system information.
With these data, the operator can determine whether the infected system is running an older version of Windows and then deploy newer versions of its malware that employ newer encryption schemes to avoid detection. For example, Kasidet will be downloaded only if the version of Windows is more than seven years old, such as Windows Vista or XP.