xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement

From unit42.paloaltonetworks.com

The BumbleBee webshell, conceptually illustrated here, was discovered as part of an investigation of the continued xHunt campaign.

In September 2020, we began investigating a Microsoft Exchange server at a Kuwaiti organization that a threat group compromised as part of a continued xHunt campaign. This investigation resulted in the discovery of two new backdoors called TriFive and Snugy, which we discussed in a prior blog, as well as a new webshell that we call BumbleBee that we will explain in greater detail in this blog. We use this name because the color scheme of the BumbleBee webshell includes white, black and yellow, as seen in Figure 1.

Read more…