Organisations stung by malicious ads with Bumblebee malware

Share
Malware is being spread through Google ads.
Google Ads and SEO poisoning are becoming increasingly popular for malware distribution says cybersecurity company, Secureworks.

Secureworks,  cybersecurity company, has discovered Bumblebee malware being spread through malicious online ads, like Google ads. Bumblebee, initially discovered in March 2022, has traditionally, although not exclusively, been distributed via phishing attacks to deliver ransomware. This new finding fits with a general increase Secureworks has seen in attacks involving trojanized software distributed via malicious Google Ads or SEO poisoning.

The Secureworks Counter Threat Unit (CTU) has discovered Bumblebee malware distributed via trojanized installers in a variety of popular business software such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace. End users who are looking for legitimate software are tricked into installing the malicious loader via fake download pages propagated through malicious Google Ads. 

“Remote workers might be looking to install new software on their home IT set up. For a quick solution they could look online, rather than go through their tech team - if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” said Mike McLellan, Director of Intelligence, Secureworks CTU.  “As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”

In one case investigated by CTU researchers, a user followed a Google Ad to download a legitimate Cisco AnyConnect VPN installer which had been modified to contain the Bumblebee malware. Within hours, a threat actor accessed their system, deployed additional tools including Cobalt Strike and a kerberoasting script, and attempted to move laterally.

“Based on what we saw, the threat actor probably intended to deploy ransomware. Fortunately, network defenders detected and stopped them before they were able to do so.”

“The shift from phishing to Google Ads is not that surprising. Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks then they will absolutely exploit it. What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers,” concluded McLellan.

As adversaries use online ads and SEO poisoning, organisations can protect their teams and their network by implementing restrictions and controls which limit users’ ability to click on Google Ads. Organisations should also ensure that software installers and updates are only downloaded from trusted and verified websites says Secureworks.

Share

Featured Articles

How Kroll and DORA Tackle Supply Chain Cybersecurity Risks

Kroll experts highlight critical measures IT providers must adopt to protect supply chains from cyber attacks and mitigate risks from AI-enabled threats

VCARB & Dynatrace Accelerate AI For F1 Racing Performance

As real-time monitoring becomes crucial in motorsport, F1 team VCARB partners with Dynatrace to implement AI analytics and security systems

Apple's Siri: How The Most Private AI Assistant Works

After a lawsuit, Apple is eager to prioritise privacy in Siri through its on-device processing, minimal data collection and advanced security protection

How The UK’s AI Plan Will Impact The Cybersecurity Sector

Technology & AI

Darktrace to Acquire Cado Security in Cloud Defence Push

Cloud Security

Sophos MDR Reports 37% Customer Growth in Cybersecurity Push

Cyber Security