The ever-evolving world of cybersecurity has given rise to a new threat called BumbleBee malware. It is a dangerous tool used by ransomware gangs to infiltrate networks and launch attacks. Initially discovered in April 2022, the malware is believed to have been created by the Conti team to replace the BazarLoader backdoor.
A recent version of BumbleBee malware was found in the wild, with a more stealthy attack chain that uses the PowerSploit framework for reflective DLL injection into memory.
This enables the malware to load into memory undetected by existing antivirus software, making it harder to detect and prevent.
BumbleBee malware distributed via SEO poisoning
Secureworks researchers uncovered a new campaign that promotes trojanized versions of popular apps and delivers the BumbleBee malware to unsuspecting victims via Google ads. The ads promote software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, redirecting users to fake download pages that prompt them to download a trojanized version of the software.
A fake Cisco AnyConnect Secure Mobility Client download page was created and hosted on the “appcisco.com” domain on February 16, 2023, according to SecureWorks. Users were directed to this page via a compromised WordPress site by a malicious Google ad. The bogus landing page advertised a trojanized MSI installer called “cisco-anyconnect-4 9 0195.msi,” which installs the BumbleBee malware.
When the user runs the installer, a copy of the legitimate program installer and a PowerShell script with a deceptive name (cisco2.ps1) are copied to their computer. The legitimate AnyConnect installer installs the application on the device to avoid suspicion, while the PowerShell script installs the BumbleBee malware and conducts malicious activity on the compromised device.
The BumbleBee virus is aimed at corporate users
Corporate users are the primary targets of this trojanized software, making infected devices prime targets for the beginning of ransomware attacks. Secureworks discovered other software packages with similarly named file pairs, such as ZoomInstaller.exe and Zoom.ps1, ChatGPT.msi, and chch.ps1, and CitrixWorkspaceApp.exe and Citrix.ps1.
Secureworks investigated a recent BumbleBee attack and found that the threat actor used their access to the compromised system to move laterally in the network three hours after the initial infection.
The attackers employed a range of tools, including the Cobalt Strike pen-testing suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.
This arsenal creates an attack profile that suggests the malware operators are interested in identifying vulnerable network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware. Corporate users should take precautions to protect their networks from these types of attacks.
Previous cases of hackers utilizing Google Ads
Cybercriminals have used Google Ads for years to spread malware and launch phishing attacks. Google removed over 2.7 billion bad ads in 2020 and blocked 1.2 million advertiser accounts for breaking its policies. Ads for malware distribution, phishing, and scams were among them.
In one notable case from 2019, cybercriminals used Google Ads to promote fake Ledger Live Chrome extensions that stole users’ cryptocurrency holdings. Similarly, in 2017, cybercriminals used Google Ads to promote a malware-infected version of the popular WhatsApp messaging app.
These examples demonstrate that cybercriminals not only use sophisticated methods, but also legitimate advertising channels to distribute malware and conduct phishing attacks. As more people work remotely and rely on software applications to collaborate, individuals and organizations must remain vigilant and aware of the risks associated with downloading and installing software from untrusted sources.
If you are interested in security, we suggest that you check out Twitter phishing attacks: Verification fee’s unexpected side effects, or Battle net down Battle net DDoS attack explained (11 Oct).
