Threat Actors Poison Bing Search Results to Distribute Bumblebee Malware via ‘ManageEngine OpManager’ Queries

Threat Actors Poison Bing Search Results to Distribute Bumblebee Malware via 'ManageEngine OpManager' Queries

Threat actors leveraged SEO poisoning techniques to manipulate Bing search results, directing users querying for “ManageEngine OpManager” to a malicious domain, opmanager[.]pro.

This site distributed a trojanized MSI installer named ManageEngine-OpManager.msi, which covertly deployed the Bumblebee malware loader while installing legitimate software.

Bumblebee, first identified in late 2021 as an initial access tool associated with actors like EXOTIC LILY and TA578, utilizes a unique user-agent string and is often delivered via ISO files containing DLLs with custom loaders.

trojanized MSI installer

Emergence of SEO Poisoning Campaign

In this instance, the malware was embedded in msimg32.dll and executed through consent.exe, establishing command-and-control (C2) communications with dynamically generated domains via a domain generation algorithm (DGA).

This resurgence echoes prior reports, including a May 2025 Cyjax analysis of similar Bing-based poisoning impersonating IT tools, and aligns with Bumblebee’s evolution toward modular structures akin to TrickBot, as noted in 2022 ESET research.

The campaign’s targeting of privileged IT administrators searching for network management software facilitated rapid escalation, with Bumblebee fetching payloads like Cobalt Strike or, in this case, leading to Akira ransomware deployment.

Bumblebee Malware
ManageEngine OpManager

Confirmation from Swisscom B2B CSIRT of a parallel intrusion via a trojanized Advanced-IP-Scanner.msi further underscores the campaign’s breadth, affecting multiple organizations and resulting in swift time-to-ransomware (TTR) metrics, ranging from nine hours in the Swisscom case to 44 hours in the observed incident.

Detailed Intrusion Analysis

According to the report, upon execution, the Bumblebee payload initiated C2 with IP addresses such as 109.205.195[.]211 and 188.40.187[.]145 using DGA domains like ev2sirbd269o5j.org.

Within hours, it deployed an AdaptixC2 beacon (AdgNsy.exe) for additional C2 to 172.96.137[.]160, enabling internal reconnaissance via commands like systeminfo, nltest /dclist:, and net group domain admins /dom.

Threat actors then created privileged accounts (e.g., backup_EA) and escalated privileges, laterally moving to domain controllers via RDP to dump NTDS.dit using wbadmin.exe for credential extraction.

Persistence was achieved through RustDesk installations, while an SSH reverse tunnel to 193.242.184[.]150 proxied further activity.

Discovery involved deploying a renamed SoftPerfect network scanner (n.exe) and querying Veeam PostgreSQL databases with psql.exe for stored credentials.

Data exfiltration occurred via FileZilla SFTP to 185.174.100[.]203, preceded by LSASS dumping using rundll32.exe with comsvcs.dll across multiple hosts.

The intrusion culminated in Akira ransomware (locker.exe) deployment, encrypting root and child domains with options targeting local drives and network shares.

This sequence highlights Bumblebee’s role in pre-ransomware ecosystems, as documented in historical analyses from Proofpoint and Microsoft, where it overlaps with tools like Sliver and Conti.

For detection, organizations should hunt for anomalous MSI executions from user directories spawning consent.exe, mixed-case command invocations for evasion, and rapid enumeration sequences.

Behavioral rules correlating MSI installs with discovery, credential access, and lateral movement within 24 hours can enhance threat hunting, while monitoring DGA patterns and SSH tunneling provides proactive defense against such initial access brokers.

Indicators of Compromise (IOCs)

Category Indicator Description
Domains ev2sirbd269o5j.org Bumblebee DGA domain
Domains 2rxyt9urhq0bgj.org Bumblebee DGA domain
Domains opmanager[.]pro Malicious site for trojanized installer
Domains angryipscanner.org Malicious site for trojanized installer
Domains axiscamerastation.org Malicious site for trojanized installer
Domains ip-scanner[.]org Malicious site for trojanized installer
IP Addresses 109.205.195[.]211 Bumblebee C2
IP Addresses 188.40.187[.]145 Bumblebee C2
IP Addresses 172.96.137[.]160 AdaptixC2 C2
IP Addresses 170.130.55[.]223 AdaptixC2 C2
IP Addresses 193.242.184[.]150 SSH Tunnel Host
IP Addresses 83.229.17[.]60 SSH Tunnel Host
IP Addresses 185.174.100[.]203 SFTP Exfiltration Server
File Hashes 186b26df63df3b7334043b47659cba4185c948629d857d47452cc1936f0aa5da ManageEngine-OpManager.msi (Malicious installer)
File Hashes a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2 Advanced-IP-Scanner.msi (Malicious installer)
File Hashes a6df0b49a5ef9ffd6513bfe061fb60f6d2941a440038e2de8a7aeb1914945331 msimg32.dll (Bumblebee)
File Hashes 6ba5d96e52734cbb9246bcc3decf127f780d48fa11587a1a44880c1f04404d23 msimg32.dll (Bumblebee)
File Hashes de730d969854c3697fd0e0803826b4222f3a14efe47e4c60ed749fff6edce19d locker.exe (Akira ransomware)
File Hashes 18b8e6762afd29a09becae283083c74a19fc09db1f2c3412c42f1b0178bc122a win.exe (Akira ransomware)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link