Cybercriminals have adopted a common practice of using malicious Google Ads or SEO poisoning to disseminate malware. In a recent development, Secureworks researchers have identified BumbleBee malware being distributed through trojanized installers of popular software applications, including Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.
Typically propagated through phishing, BumbleBee is a modular loader capable of delivering payloads linked with ransomware deployments.
Here are the details
One instance leveraged a Google ad to lead users to a fraudulent download page for Cisco AnyConnect Secure Mobility Client, hosted on ‘appcisco[.]com’.
- The page advertised a trojanized MSI installer, ‘cisco-anyconnect-4_9_0195.msi’, that installs BumbleBee malware. Once executed, a PowerShell script and a genuine program installer are copied to the user's system.
- The researchers detected the threat actor moving laterally within a compromised system, deploying Cobalt Strike and remote access tools such as AnyDesk and DameWare.
- These were dropped into the ‘C:\ProgramData’ directory, indicating that the attacker's aim was likely to deploy ransomware.
Who does it affect?
- The new tactic focuses on remote workers who tend to download software from Google rather than going through their company's tech team, which operates in a more secure environment.
- This shift from phishing to Google Ads is unsurprising, given that adversaries tend to choose the path of least resistance to achieve their goals.
- If using Google Ads proves more effective for gaining access to corporate networks, cybercriminals will continue to exploit this method.
Stay safe
SecureWorks recommends taking measures to mitigate this and similar threats. To prevent such attacks, organizations should only download software installers and updates from reputable and verified sources. Users should not have authorization to install software or run scripts on their devices.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1965_shutterstock_556109317.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d8c9_shutterstock_665492053.jpg)
