Security researchers have discovered the spread of Bumblebee malware through malicious online ads.
According to a report by Secureworks, Bumblebee malware, which was initially discovered in March 2022, was mainly being distributed via phishing attacks to deliver ransomware.
However, the new findings highlight the use of trojanized software distributed via malicious Google Ads or SEO poisoning.
The Counter Threat Unit at the cybersecurity organization discovered that the Bumblebee malware was being distributed through trojanized installers via popular business software such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace.
Through fake download pages, which were initiated via malicious Google Ads, the end user was tricked into installing the malicious loader.
Bumblebee malware targeting remote workers
“Remote workers might be looking to install new software on their home IT set up. For a quick solution they could look online, rather than go through their tech team – if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” said Mike McLellan, Director of Intelligence, Secureworks CTU.
“As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
On searching applications on Google or other search engines, Google Ads were found to reflect software that appeared legitimate, however, had the Bumblebee payload, the report stated.
It was also observed that the malvertising campaign involving the Bumblebee malware would infect devices even without clicking a Google Ad. Loading a webpage with a malicious ad would also load the malware.
It could load ransomware on the infected device, spyware to allow complete access to the system, and launch adware that would send several malicious pop-ups to have the user click on them.
Bumblebee factsheet
The Bumblebee malware was found in March 2022 that was sent to users via phishing links, and Google Ads. A cyber incident investigated by CTU researchers unearthed that the Cisco Anyconnect VPN installer was modified to have the Bumblebee malware targeting remote workers.
It was found that hackers were able to access the system, deploy Cobalt Strike and kerberoasting script, and move laterally in an hour before it was mitigated.
The hackers intended to launch a ransomware attack that was thwarted by researchers in time.
Mitigating the risk posed by the Bumblebee malware
It would help if organizations make policies that prohibit their employees to download or click on links including Google Ads for application downloads.
Calling the shift from phishing to Google Ads “not that surprising”, McLellan adds, “Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks then they will absolutely exploit it.”
“What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers,” he concludes.