The enterprise-targeting Bumblebee malware is distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.
Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.
In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.
Researchers at Secureworks have recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver the malware loader to unsuspecting victims.
Hiding in popular apps
One of the campaigns seen by SecureWorks started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023, and hosted on an “appcisco[.]com” domain.
“An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site,” explains SecureWorks’ report.
Fake Cisco software download portal (Secureworks)
This fake landing page promoted a trojanized MSI installer named “cisco-anyconnect-4_9_0195.msi” that installs the BumbleBee malware.
Upon execution, a copy of the legitimate program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the user’s computer.
Files dropped by the malicious MSI (Secureworks)
The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion.
However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.
“The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script,” explains Secureworks.
“It also contains an encoded Bumblebee malware payload that it reflectively loads into memory.”
This means that Bumblebee still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products.
Secureworks found other software packages with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.
A path to ransomware
Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.
Secureworks examined one of the recent Bumblebee attacks closely. They found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection.
The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.
This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware.