

- #WETRANSFER SAFETY INSTALL#
- #WETRANSFER SAFETY VERIFICATION#
- #WETRANSFER SAFETY PASSWORD#
- #WETRANSFER SAFETY DOWNLOAD#

In this case, the individual had spoofed the LinkedIn profile of an actual employee at an actual, legitimate business. In a different example, a threat actor (possibly the same threat actor) attempted to engage the target via a LinkedIn connection request.

#WETRANSFER SAFETY DOWNLOAD#
Most companies will use some type of autoresponder message to sales form enquiries, which the attacker then used to create a notification from WeTransfer that Ryan Nelson shared a product requirements document with a link to download the file and a password to download the document. In this case, the target was unable to verify whether or not the supposed employee who submitted the form actually existed or not. net indicated by the email in the form submission, raised suspicions.
#WETRANSFER SAFETY VERIFICATION#
The oddly worded message, plus a quick verification via LinkedIn showed that the legitimate Damcosoft company using a. The threat actors begin by submitting a contact us form via a vendor or company’s website using a spoofed company and identity. The characteristics of the attacks that zvelo has seen in the last few weeks are consistent with the same tactics, techniques, and procedures ( TTPs ) that were originally observed by TAG. EXOTIC LILY operates by spoofing legitimate companies and employees as a means of gaining trust of targeted organizations, using legitimate file-sharing services like Smash and WeTransfer to evade malicious detection tools and deliver their payload disguised as business requirements or proposals. In September of 2021, Google Threat Analysis Group (TAG) began observing Bumblebee malware and identified EXOTIC LILY as the threat actor.įinancially motivated, EXOTIC LILY operates as an Initial Access Broker (IAB) and has been associated with data exfiltration and human-operated ransomware, including Conti and Diavol. Bumblebee is distributed by phishing email campaigns recently observed masquerading as a Product Requirement Document (PRD) or a Request for Proposal (RFP).

#WETRANSFER SAFETY INSTALL#
Bumblebee Threat Overview and Attack Characteristicsīumblebee is a stealthy malware loader that is not easily detected by antivirus vendors because it often can install itself in memory without touching the disk which then allows additional malware to be installed such as ransomware or Cobalt Strike. As a follow up to that post, we wanted to share a couple of additional recent examples showing how attackers are using the file sharing sites WeTransfer and Smash to distribute Bumblebee malware via sales Request For Proposals (RFPs). One of the posts from January featured several basic social engineering attack examples. Over the last couple of months, we have been sharing blog posts on the topic of social engineering with the intent to help raise awareness about the increasingly sneaky tactics attackers are using.
