Threat Actors Deploy Bumblebee Malware via Poisoned Bing SEO Results

A newly identified cyberattack campaign has revealed the persistent and evolving threat of Bumblebee malware, a sophisticated downloader first discovered in 2022 and linked to ransomware groups like Conti.

According to a recent report by Cyjax, threat actors have orchestrated a cunning SEO poisoning scheme targeting users of the Bing search engine.

This campaign leverages fake download websites mimicking legitimate software packages, specifically WinMTR, an open-source network diagnostic tool, and Milestone XProtect, a video management software.

By crafting domains closely resembling the authentic ones such as replacing “milestonesys[.]com” with “milestonesys[.]org” attackers trick users into downloading malicious installers that deploy Bumblebee malware.

This operation highlights a calculated shift in tactics, focusing on niche software tools often used in technical environments, which may be harder for users to verify.

Sophisticated SEO Poisoning Campaign

Delving into the mechanics of this campaign, the attackers have optimized their malicious sites to rank at the top of Bing search results for queries like “WinMTR download” and “Milestone XProtect download” through SEO poisoning.

Hosted on a Truehost Cloud server in Nairobi, these sites appear as legitimate templates at first glance, with some assets redirecting to unrelated services as a cover.

However, when accessed via Bing’s referral links, the sites present near-perfect replicas of the official download pages, substituting genuine files with Trojanized MSI installers.

These installers, hosted on an external domain “software-server[.]online,” deliver both legitimate executables and malicious components, including a DLL named “version.dll” and an outdated, suspiciously signed binary “icardagt.exe.”

Technical Breakdown of the Attack Mechanism

Upon execution via msiexec.exe, the malware initiates connections to a series of Bumblebee command-and-control (C2) domains, characterized by 13-character strings with the “.life” TLD.

This attack’s lineage ties back to earlier Bumblebee campaigns targeting software like Zoom and ChatGPT, but the pivot to lesser-known tools underscores a strategic evolution aimed at exploiting trust in obscure, specialized applications.

The implications of this campaign are significant, as Bumblebee’s ability to act as a gateway for additional payloads makes it particularly dangerous in developer environments where privileged access could be leveraged for broader attacks or data theft.

Comparing this to a 2023 campaign, the shift from mainstream software to niche tools suggests attackers are refining their approach to evade scrutiny.

The high placement in Bing’s search results also serves as a stark reminder that users cannot rely solely on search engine rankings to determine legitimacy.

Cybersecurity experts urge vigilance cross-referencing sources across multiple browsers or trusted third-party platforms is essential before downloading and installing software.

As threat actors continue to adapt, this campaign underscores the need for heightened awareness and robust validation practices to counter increasingly deceptive social engineering tactics.

Indicators of Compromise (IoC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!