Bumblebee Malware Flies on the Wings of Zoom and ChatGPT
The Bumblebee malware, discovered in spring 2022 and preferred by ransomware gangs, is spreading through malicious online advertisements on Google, according to the Secureworks Counter Threat Unit (CTU).
The ads in question are linked to popular apps such as Cisco AnyConnect, Citrix Workspace, Zoom, and ChatGPT. Unwary users looking for legitimate software download fake pages propagated by these ads, tricking them into installing Bumblebee.
The CTU team has seen an increase in attacks involving trojanised software being distributed via malicious ads on Google. Cybercriminals have increasingly been using search engine optimisation (SEO) poisoning to bring malicious content high up in search rankings. Even though one in every 100 ads online contains malicious content, it is difficult to spot malicious ads returned in search results.
One unfortunate user was tricked into clicking a Google ad to download a legitimate Cisco AnyConnect VPN installer that had been modified to deliver Bumblebee. Within a few hours, a threat actor had accessed the system, deployed the Cobalt Strike post-exploitation framework, conducted a Kerberoasting attack, and attempted lateral movement. Network defenders were able to detect and stop the attack before it developed into something much worse.
The shift from phishing to Google ads is not surprising. Adversaries follow the money and the easy route to success. The Secureworks team recommends organisations to protect their teams and networks by implementing restrictions and controls that limit the ability to click on Google adverts. Companies should also ensure that software installers and updates are only downloaded from trusted and verified websites.
As threat actors ramp up their use of online ads and SEO poisoning techniques, organisations, especially remote users, must take measures to protect their networks. Malicious ads can easily trick organisations since they appear legitimate and are challenging to spot. Therefore, organisations must have strict policies in place for restricting access to web ads and managing privileges on software downloads, as employees should not have the privilege to install software on their work computers.
