BumbleBee malware used by ransomware gangs pushed by Google ads

BumbleBee malware uses Google Ads to target enterprises

Cybercriminals used Google Ads to spread malware

The world of cybersecurity is constantly changing, with new threats appearing all the time. The BumbleBee malware is one such threat, a dangerous tool used by ransomware gangs to gain initial access to networks and conduct attacks. The malware was discovered in April 2022 and is thought to have been created by the Conti team to replace the BazarLoader backdoor.

A new version of the BumbleBee malware was recently discovered in the wild, with a more stealthy attack chain that used the PowerSploit framework for reflective DLL injection into memory. This allows the malware to load into memory without being detected by existing antivirus products, making detection and prevention more difficult.

Google Ads and SEO poisoning used to distribute BumbleBee malware

Secureworks^[1] researchers have discovered a new campaign that promotes trojanized versions of popular apps and delivers the BumbleBee malware to unsuspecting victims via Google advertisements. The advertisements promote software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace and redirect users to bogus download pages where they are prompted to download a trojanized version of the software.

On February 16, 2023, a fake Cisco AnyConnect Secure Mobility Client download page was created and hosted on a “appcisco.com” domain, according to SecureWorks. Users were directed to this page via a compromised WordPress site by a malicious Google ad. The bogus landing page advertised a trojanized MSI installer called “cisco-anyconnect-4 9 0195.msi,” which installs the BumbleBee malware.

When the user runs the installer, a copy of the legitimate program installer and a PowerShell script with the deceptive name (cisco2.ps1) are copied to their computer. To avoid suspicion, the legitimate AnyConnect installer installs the application on the device. The PowerShell script, on the other hand, installs the BumbleBee malware and performs malicious activity on the compromised device.

BumbleBee malware targeting corporate users

The trojanized software distributed via Google ads and SEO poisoning is primarily aimed at corporate users, making infected devices prime targets for the start of ransomware attacks. Other software packages with similarly named file pairs discovered by Secureworks include ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1, and CitrixWorkspaceApp.exe and citrix.ps1.

Secureworks investigated a recent BumbleBee attack and discovered that the threat actor used their access to the compromised system to move laterally in the network three hours after the initial infection. The attackers employed a variety of tools, including the Cobalt Strike pen-testing suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.

This arsenal generates an attack profile that indicates that the malware operators are likely to be interested in identifying vulnerable network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware. Corporate users should be especially cautious and take precautions to protect their networks from these types of attacks.

Previous instances of cybercriminals using Google Ads

Cybercriminals have long used Google Ads to spread malware and launch phishing attacks. Google removed over 2.7 billion bad ads in 2020^[2] and blocked 1.2 million advertiser accounts for breaking its policies. Ads for malware distribution, phishing, and scams were among them.

Cybercriminals used Google Ads to promote fake Ledger Live Chrome extensions that stole users' cryptocurrency holdings in one notable case from 2019.^[3] Victims who clicked on the malicious ads were taken to a bogus Ledger website, where they were asked to install a bogus extension. Once installed, this extension would prompt users to enter their 24-word recovery phrase, allowing the attackers to steal their cryptocurrency.

Similarly, in 2017, cybercriminals used Google Ads to promote a malware-infected version of the popular WhatsApp messaging app. Before Google removed the fake app, called “Update WhatsApp Messenger,”^[4] it had been downloaded over a million times.

These examples demonstrate that cybercriminals not only use sophisticated methods, but also legitimate advertising channels to distribute malware and conduct phishing attacks. As more people work remotely and rely on software applications to collaborate, individuals and organizations must remain vigilant and aware of the risks associated with downloading and installing software from untrusted sources.