A new malware campaign utilizing Google ads and SEO poisoning has been discovered. Dubbed Bumblebee, this malware targets corporate users. It is through Google Ads and SEO poisoning that promote popular software. These software may inlcude Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. The malware meant to replace BazarLoader backdoor. BazarLoader helps to gain initial access to networks. It leads to ransomware attacks as per a leading security firm.
Bumblebee Malware and Attack Chain
Bumblebee is a malware loader. It was first came in April 2022. Conti team develop it. In September 2022, a new version of the malware loader was discovered in the wild, featuring a stealthier attack chain. This new attack chain uses the PowerSploit framework. It is for reflective DLL injection into memory to avoid raising any alarms from existing antivirus products.
Malware Distribution through Google Ads
The researchers also cmae to know a new campaign that uses Google advertisements. These advertisments promote trojanized versions of popular apps, delivering the malware loader to unsuspecting victims. One of the campaigns seen with a Google ad promoting a fake Cisco AnyConnect Secure Mobility Client download page. The page was created on February 16, 2023, and hosted on an “appcisco[.]com” domain. The malicious Google Ad sent the user to this fake download page via a compromised WordPress site. The fake landing page promoted a trojanized MSI installer named “cisco-anyconnect-4_9_0195.msi” that installs the BumbleBee malware.
Malicious Activities Conducted by Malware
Once the MSI installer is set, a copy of the legitimate program installer and a PowerShell script “cisco2.ps1” are copied to the victim’s computer. The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion. However, the PowerScrip script installs the BumbleBee malware and conducts malicious activities on the compromised device.
The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script, and it also contains an encoded Bumblebee malware payload that it reflectively loads into memory. The malware still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products.
Trojanized Software Targets Corporate Users
Experts found other software packages with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1, and CitrixWorkspaceApp.exe and citrix.ps1. Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.
Tools Used by Attackers for Bumblebee Malware
Experts examined one of the recent Bumblebee attacks closely and found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection. The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.
This arsenal creates an attack profile. It makes it very likely that the malware operators are keen in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware.
Conclusion
The Bumblebee malware campaign is an example of the techniques of ransomware gangs to infect networks and conduct ransomware attacks. The use of Google Ads to distribute malware is particularly concerning as it shows that attackers are leveraging legitimate advertising platforms to reach new victims. It is essential to recognize the risks posed by such campaigns and take appropriate measures to secure systems and networks. Companies must ensure they have robust security measures in place to detect and prevent such attacks. The best defense against these sophisticated attacks remains vigilance and training in cybersecurity best practices.
