We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:PowerShell/Bumblebee.RQB!MTB
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This trojan is a Bumblebee loader first observed in March 2022. The Bumblebee payload was observed delivering Cobalt Strike, and Metasploit Meterpreter. This trojan is delivered using an ISO disc image file which contains a LNK (Windows shortcut) file and DLL. Attackers typically distribute the trojan as an email attachment. Once installed, the LNK file uses cmd.exe to launch a DLL file that is also contained in the ISO. This trojan has the potential to lead to ransomware activity.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Assume that this device is compromised. Inspect the device thoroughly, check for malicious activities in its timeline and isolate it from the network if possible.
- Investigate how the affected device might have been compromised. Check web and email traffic to determine how the payload arrived.
- Check for credential theft attempts. Even without clear indicators, consider decommissioning or resetting all accounts used on this device.
- Determine how this device was compromised by checking the mailbox for unsolicited emails that contained suspicious attachments or links, or by scanning the device for the presence of Bumblebee.
- Ensure server systems are restricted from accessing the internet for arbitrary browsing, downloads, or malware command-and-control (C2) traffic by using network firewall rules at the perimeter as well as proxy settings.
- Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
