Security Researchers found a new malware called Bumblebee malware that targets users through Google Ads.
Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.
The ads in question are linked to popular and high-profile applications, including many favoured by remote workers such as Cisco AnyConnect, Citrix Workspace and Zoom, but also generative artificial intelligence (AI) plaything ChatGPT.
One of the attacks observed by Secureworks relied on a legitimate Cisco AnyConnect VPN installer modified to contain the Bumblebee malware.
Attackers trick end users looking for genuine software into installing the malicious loader through malicious Google Ads that lead to fake download pages.
In Securework’s recent 2022 State of the Threat report, it discovered an increase in attacks of trojanized software that are being distributed via Google Ads or SEO poisoning, and Bumblebee is just one of many experimenting with this increasingly popular method.
“An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site,” explains SecureWorks’ report.
The malware’s reaches are far beyond the search engine, with examples found across many popular business apps like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Victims installing what they think is legitimate software from the fake download pages then get infected with the malware.
However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.
A threat actor was inside their system within hours, deploying additional tools such as Cobalt Strike and Kerberoasting script, attempting to move laterally.
Beyond this, workers are advised to create their path direct to the legitimate website rather than follow a stream of links or ads – or to entirely remove themselves from the process and request that their company’s IT team takes over.
Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.
Security researchers suggest organizations ensure software installers and updates are only downloaded from trusted and verified websites.