The enterprise-targeting Bumblebee malware is distributed by means of Google Advertisements and website positioning poisoning that promote in style software program like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.

Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti workforce as a substitute for the BazarLoader backdoor, used for gaining preliminary entry to networks and conducting ransomware assaults.

In September 2022, a brand new model of the malware loader was noticed within the wild, that includes a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into reminiscence.

Researchers at Secureworks have not too long ago found a brand new marketing campaign utilizing Google commercials that promote trojanized variations of in style apps to ship the malware loader to unsuspecting victims.

Hiding in in style apps

One of many campaigns seen by SecureWorks began with a Google advert that promoted a faux Cisco AnyConnect Safe Mobility Consumer obtain web page created on February 16, 2023, and hosted on an “appcisco[.]com” area.

“An an infection chain that started with a malicious Google Advert despatched the person to this faux obtain web page by way of a compromised WordPress website,” explains SecureWorks’ report.

This faux touchdown web page promoted a trojanized MSI installer named “cisco-anyconnect-4_9_0195.msi” that installs the BumbleBee malware.

Upon execution, a replica of the professional program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the person’s laptop.

The CiscoSetup.exe is the professional installer for AnyConnect, putting in the appliance on the gadget to keep away from suspicion.

Nevertheless, the PowerScrip script installs the BumbleBee malware and conducts malicious exercise on the compromised gadget.

“The PowerShell script accommodates a collection of renamed capabilities copied from the PowerSploit ReflectivePEInjection.ps1 script,” explains Secureworks.

“It additionally accommodates an encoded Bumblebee malware payload that it reflectively hundreds into reminiscence.”

Which means that Bumblebee nonetheless makes use of the identical post-exploitation framework module to load the malware into reminiscence with out elevating any alarms from present antivirus merchandise.

Secureworks discovered different software program packages with equally named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.

A path to ransomware

Contemplating that the trojanized software program is focusing on company customers, contaminated gadgets make candidates for the start of ransomware assaults.

Secureworks examined one of many latest Bumblebee assaults intently. They discovered that the risk actor leveraged their entry to the compromised system to maneuver laterally within the community roughly three hours after the preliminary an infection.

The instruments the attackers deployed on the breached setting embrace the Cobalt Strike pen-test suite, the AnyDesk and DameWare distant entry instruments, community scanning utilities, an AD database dumper, and a Kerberos credentials stealer.

This arsenal creates an assault profile that makes it very seemingly that the malware operators are fascinated by figuring out accessible community factors, pivoting to different machines, exfiltrating knowledge, and finally deploying ransomware.