A Bumblebee-inspired Crypter
A Bumblebee-inspired Crypter
The BumbleCrypt is inspired by Bumblebee's crypter, in Bumblebee's case the main Bumblebee DLL is been loaded in the memory and executed in the following way:
While analyzing BumbleBee's crypter I realized that the decrypted DLL could be loaded with just one inline hook on "NtMapViewOfSection" instead of three inline hooks used in the Bumblebee's Crypter. As a result "BumbleCrypt" was developed.
The BumbleCrypt:
The BumbleCrypt first loads an encrypted resource from the .rsrc section and then decrypts the final DLL payload: encrypted res -> Base64 decode -> Rc4 Decrypt -> xor decrypt
The Crypter leverages the Heap to store the decrypted DLL payload just like the Bumblebee's crypter
Once the final payload is decrypted, the BumbleCrypt hooks the NtApi "NtMapViewOfSection" which maps is used to map a view of the section into the virtual address space.
Then the BumbleCrypt calls the LoadLibraryW("msimg32.dll"). Now let's understand how the inline hook is been triggered:
Now if we take a look at the screenshot of the BumbleCrypt's loaded modules we can see it contains the "msimg32.dll" but the base address points to the Decrypted Malicious Payload.
Screenshot
Thankyou so much! Hope you liked it =D Ciao.
You can contact me on Twitter if you have any feedbacks or comments
Twitter: https://twitter.com/knight0x07
For educational purposes only. It is a personal weekend project =)