Google Ads Deliver Bumblebee Malware

Threat actors frequently employ malicious Google Ads and SEO poisoning to spread malware.

Recently, Secureworks’ Counter Threat Unit (CTU) researchers reported that Cyber attackers are actively using Google Ads and SEO poisoning to distribute the Bumblebee malware, which targets enterprises and is disguised as popular applications such as:-

  • Zoom
  • Cisco AnyConnect
  • ChatGPT
  • Citrix Workspace

In April 2022, Bumblebee, a malware loader, was uncovered as a potential successor to BazarLoader, the Conti group’s previous backdoor.

Bumblebee Malware

Bumblebee, a modular loader, has typically been delivered via phishing and used to distribute payloads linked to ransomware operations.

Trojanizing popular or remote work-related software installers heightens the probability of new infections. Apart from this, CTU researchers examined a Bumblebee sample which is obtained from:-

  • http[:]//appcisco[.]com/vpncleint/cisco-anyconnect-4_9_0195.msi

A threat actor made a fake download page for Cisco AnyConnect Secure Mobility Client v4.x on appcisco[.]com around February 16, 2023.

A compromised WordPress site was used to redirect the user from a malicious Google Ad to the fake download page, starting an infection chain.

Technical Analysis

The BumbleBee malware is installed through the following trojanized MSI installer that is promoted on the fake landing page:-

  • cisco-anyconnect-4_9_0195.msi

When executed, the user’s computer receives a disguised PowerShell script (cisco2.ps1) and a legitimate program installer.

AnyConnect’s genuine installer, CiscoSetup.exe, installs the application on the device inconspicuously, while the PowerScrip script deploys BumbleBee malware and then on the infiltrated device executes malicious activities.

A Bumblebee malware payload, encoded in the PowerShell script, is reflectively loaded into memory, along with renamed functions from the PowerSploit ReflectivePEInjection.ps1 script.

To inject malware into memory, Bumblebee uses the same post-exploitation framework module, enabling it to evade the existing antivirus products without raising any security alarm.

While there are other software packages were also identified by the cybersecurity researchers at Secureworks with similar named file pairs, such as:-

  • ZoomInstaller.exe and zoom.ps1
  • ChatGPT.msi and chch.ps1
  • CitrixWorkspaceApp.exe and citrix.ps1

Mitigation

Here below, we have mentioned all the recommended mitigations:-

  • Only download software installers and updates from known, official, and trusted websites.
  • Ensure that computer users are not allowed to install software and run scripts.
  • To prevent the execution of malware, security tools like AppLocker must be used and enabled.
  • Make sure to use a reputed antivirus solution.
  • Ensure regular backups of your data.

Building Your Malware Defense Strategy – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.