A malware campaign has recently been detected that uses Google ads and SEO poisoning to spread malware. The malware that attacks corporate users is dubbed Bumblebee. It was discovered that Bumblebee, a malware targeted at enterprise users, is distributed via marketing channels like Google Adwords and SEO poisoning that promote popular software applications such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. BazarLoader's backdoor is intended to be replaced by this malware.
A tool called BazarLoader assists users in connecting to networks and gaining access to them. Several leading security organizations have stated that it is often the cause of ransomware attacks.
It is a constant challenge to stay ahead of the new threats that emerge in cybersecurity regularly. BumbleBee malware is used by ransomware gangs as a tool to gain initial access to networks and carry out attacks. An attempt was made by the Conti team to replace the BazarLoader backdoor with this malware, which was discovered in April 2022, but the backdoor has since been removed.
There was a recent discovery of a dangerous version of BumbleBee malware. As part of the attack chain, PowerSploit was used to inject reflective DLLs into memory, which was a sneaky and dangerous technique. By doing this, existing antivirus products are not able to detect malware when it is loaded into memory, which makes detection and prevention harder, resulting in malware being able to stay undetected.
A malicious program often comes packaged as an ISO file, which contains a DLL that has a custom loader inside it, bundled inside an ISO file. The malware was dubbed BUMBLEBEE due to its proprietary user agent "Bumblebee," resulting in its unique name. BumbleBee was observed fetching Cobalt Strike Payloads at the time of analysis by Google's Threat Analysis Group (TAG).
In an ongoing campaign found by Secureworks, researchers there have discovered trojanized versions of popular apps that are being distributed through Google ads to unsuspecting victims who are being infected with the BumbleBee malicious software. These advertisements advertise Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Using bogus downloads pages, they prompt users to download a Trojanized version of the software after redirecting them to a bogus download page on the internet.
Google Ads Distribute Malware
In addition, the researchers discovered that a Google advertisement campaign would be used for an upcoming campaign. It has become common practice to use Trojanized versions of popular apps to promote malware loaders to unsuspecting victims through these advertisements. This campaign consisted of a Google advertisement promoting a fake Cisco AnyConnect Secure Mobility Client download page that was marketed by a Google advertisement.
The page was created on February 16, 2023, under an "appcisco[.]com" domain and hosted on that server. Through this malicious advertisement on Google, the user was taken to an incorrect download page accessed via a compromised WordPress site. There was a fake landing page on the web that promoted an MSI installer that was entitled “cisco-anyconnect-4_9_0195.msi” that installs the malware BumbleBee.
It is imperative to recognize the risks posed by such campaigns and take appropriate measures to secure the systems and networks affected by them. To detect and prevent such attacks, companies must ensure robust security measures are in place. You must remain vigilant and trained in cybersecurity best practices to protect yourself against these sophisticated attacks.
A cyberattack on Eurocontrol, the European air traffic control organization, did not end at the end of the weekend, as the effects continued until today. According to a report in the Wall Street Journal, the disruptions caused by Russia's KillNet networks did not disrupt flights.