Secureworks, cybersecurity company, has discovered Bumblebee malware being spread through malicious online ads, like Google ads. Bumblebee, initially discovered in March 2022, has traditionally, although not exclusively, been distributed via phishing attacks to deliver ransomware. This new finding fits with a general increase Secureworks has seen in attacks involving trojanized software distributed via malicious Google Ads or SEO poisoning.
The Secureworks Counter Threat Unit (CTU) has discovered Bumblebee malware distributed via trojanized installers in a variety of popular business software such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace. End users who are looking for legitimate software are tricked into installing the malicious loader via fake download pages propagated through malicious Google Ads.
“Remote workers might be looking to install new software on their home IT set up. For a quick solution they could look online, rather than go through their tech team - if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” said Mike McLellan, Director of Intelligence, Secureworks CTU. “As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
In one case investigated by CTU researchers, a user followed a Google Ad to download a legitimate Cisco AnyConnect VPN installer which had been modified to contain the Bumblebee malware. Within hours, a threat actor accessed their system, deployed additional tools including Cobalt Strike and a kerberoasting script, and attempted to move laterally.
“Based on what we saw, the threat actor probably intended to deploy ransomware. Fortunately, network defenders detected and stopped them before they were able to do so.”
“The shift from phishing to Google Ads is not that surprising. Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks then they will absolutely exploit it. What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers,” concluded McLellan.
As adversaries use online ads and SEO poisoning, organisations can protect their teams and their network by implementing restrictions and controls which limit users’ ability to click on Google Ads. Organisations should also ensure that software installers and updates are only downloaded from trusted and verified websites says Secureworks.