Jump to content
  • Google ads push BumbleBee malware used by ransomware gangs

    alf9872000

    • 361 views
    • 3 minutes
     Share


    • 361 views
    • 3 minutes

    The enterprise-targeting Bumblebee malware is distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.

     

    Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.

     

    In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.

     

    Researchers at Secureworks have recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver the malware loader to unsuspecting victims.

    Hiding in popular apps

    One of the campaigns seen by SecureWorks started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023, and hosted on an "appcisco[.]com" domain.

     

    "An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site," explains SecureWorks' report.

     

    page.jpg

    Fake Cisco software download portal (Secureworks)

     

    This fake landing page promoted a trojanized MSI installer named "cisco-anyconnect-4_9_0195.msi" that installs the BumbleBee malware.

     

    Upon execution, a copy of the legitimate program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the user's computer.

     

    files.png

    Files dropped by the malicious MSI (Secureworks)

     

    The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion.

     

    However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.

     

    "The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script," explains Secureworks.

     

    "It also contains an encoded Bumblebee malware payload that it reflectively loads into memory."

     

    This means that Bumblebee still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products.

     

    Secureworks found other software packages with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.

    A path to ransomware

    Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.

     

    Secureworks examined one of the recent Bumblebee attacks closely. They found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection.

     

    The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.

     

    This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...