Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Google ads push BumbleBee malware used by ransomware gangs
#1
https://www.bleepingcomputer.com/news/se...are-gangs/      Google ads push BumbleBee malware used by ransomware gangs
By Bill Toulas
April 22, 2023 10:08 AM    The enterprise-targeting Bumblebee malware is distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.

Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.

In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.

Researchers at Secureworks have recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver the malware loader to unsuspecting victims.

Hiding in popular apps
One of the campaigns seen by SecureWorks started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023, and hosted on an "appcisco[.]com" domain.

"An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site," explains SecureWorks' report.

This fake landing page promoted a trojanized MSI installer named "cisco-anyconnect-4_9_0195.msi" that installs the BumbleBee malware.

Upon execution, a copy of the legitimate program installer and a deceptively named (cisco2.ps1) PowerShell script is copied to the user's computer.  The CiscoSetup.exe is the legitimate installer for AnyConnect, installing the application on the device to avoid suspicion.

However, the PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.

"The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script," explains Secureworks.

"It also contains an encoded Bumblebee malware payload that it reflectively loads into memory."

This means that Bumblebee still uses the same post-exploitation framework module to load the malware into memory without raising any alarms from existing antivirus products.

Secureworks found other software packages with similarly named file pairs like ZoomInstaller.exe and zoom.ps1, ChatGPT.msi and chch.ps1 and CitrixWorkspaceApp.exe and citrix.ps1.

A path to ransomware
Considering that the trojanized software is targeting corporate users, infected devices make candidates for the beginning of ransomware attacks.

Secureworks examined one of the recent Bumblebee attacks closely. They found that the threat actor leveraged their access to the compromised system to move laterally in the network approximately three hours after the initial infection.

The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer.

This arsenal creates an attack profile that makes it very likely that the malware operators are interested in identifying accessible network points, pivoting to other machines, exfiltrating data, and eventually deploying ransomware.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  TikTok, Meta, X, and others exploit push notifications on iOS to collect data mrtrout 0 710 02-09-2024 , 08:46 PM
Last Post: mrtrout
  Ransomware gangs abuse Process Explorer driver to kill security software mrtrout 0 452 04-20-2023 , 07:56 PM
Last Post: mrtrout
  Android malware apps with 2 million installs spotted on Google Play tarekma7 0 649 12-05-2022 , 04:09 PM
Last Post: tarekma7
  Fake Google Translate app installs malware dhruv2193 1 659 09-05-2022 , 12:47 PM
Last Post: Mike
  New Android malware on Google Play installed 3 million times mrtrout 0 674 07-14-2022 , 02:55 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)