Google Ads Push BumbleBee Malware Used by Ransomware Gangs

Summary:
Researchers at Secureworks recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver BumbleBee malware to unsuspecting victims. Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks. In the latest campaign, Secureworks uncovered a Google ad promoting a fake download page for Cisco AnyConnect Secure Mobility Client. The page was created on February 16, 2023 and hosted on the following domain, "appcisco[.]com.” Researchers note that the Google ad sent the user to this fake download page via a compromised WordPress site. Upon a successful download, a malicious PowerShell script would be installed which is designed to deploy BumbleBee on the targeted system. At the same time, a copy of the legitimate program installer for Cisco AnyConnect would also be installed to divert the user’s attention.

Secureworks also discovered similar pages containing fake downloads for software including Zoom, ChatGPT, and Citrix Workspace.

“Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks. Secureworks examined one of the recent Bumblebee attacks closely. They found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection. The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer. This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware”.

Analyst comments:
In comparison to BazarLoader, BumbleBee is stealthier in nature and more difficult to detect by antivirus solutions, as it includes increased obfuscation and anti-analysis features. As such, the release of BumbleBee in April 2022 was followed by a decrease in attacks leveraging BazarLoader, with cybercriminals more so leveraging the new loader to deploy their payloads. So far we have seen campaigns distributing BumbleBee via phishing emails. The latest campaign using fake download pages, shows at threat actors are looking for new ways to infect victims.

Mitigation:
Users should be careful when downloading software from third party websites as threat actors are known for hosting such sites to infect victims. With BumbleBee being distributed in phishing attacks, its also important that users be on the lookout for emails containing malicious emails or attachments.

Source:
https://www.bleepingcomputer.com