The dangerous Bumblebee malware, a loader tool first discovered in spring 2022 and favoured by ransomware gangs as a replacement for BazarLoader, has been observed spreading through malicious online adverts, including those on Google, according to intelligence gathered by the Secureworks Counter Threat Unit (CTU).
The ads in question are linked to popular and high-profile applications, including many favoured by remote workers such as Cisco AnyConnect, Citrix Workspace and Zoom, but also generative artificial intelligence (AI) plaything ChatGPT. Unwitting users on the hunt for legitimate software are thus tricked into installing Bumblebee via fake download pages propagated by these ads.
The increased prevalence of Bumblebee in the wild fits with a general increase the CTU team has seen in attacks involving trojanised software being distributed via malicious ads on Google or search engine optimisation (SEO) poisoning – the use of legitimate SEO techniques to make malicious content appear high up in search rankings.
“Remote workers might be looking to install new software on their home IT setup. For a quick solution they could look online, rather than go through their tech team – if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” said Mike McLellan, director of intelligence at the Secureworks CTU.
“As people look for new tech, or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
Mike McLellan, Secureworks CTU
In one case to which the CTU team responded, a user was duped into clicking a Google ad to download a legitimate Cisco AnyConnect VPN installer that had been modified to deliver Bumblebee.
Within a matter of hours, an undisclosed threat actor had accessed their system, deployed the Cobalt Strike post-exploitation framework long favoured by cyber criminals, conducted a so-called Kerberoasting attack – a technique that abuses the Kerberos protocol to harvest hashed Active Directory credentials – and attempted lateral movement.
Happily for the unfortunate user, the incident was stopped before it developed into something much worse, as network defenders were alerted to the activity and were able to shut it down and evict the attacker before they could do too much damage. “Based on what we saw, the threat actor probably intended to deploy ransomware,” said McLellan.
“The shift from phishing to Google ads is not that surprising,” he explained. “Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks, then they will absolutely exploit it.
“What it does highlight is the importance of having strict policies in place for restricting access to web ads, as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers.”
The Secureworks team recommends that as threat actors ramp up their use of online ads and SEO poisoning techniques, organisations move to protect their teams, especially remote users, and networks by implementing restrictions and controls that limit the ability to click on Google adverts.
As a matter of basic cyber security policy, organisations should also ensure that software installers and updates are only downloaded from trusted and verified websites, an easily remedied error.