Connect with us

Hi, what are you looking for?

Cyber Security

Hackers Use Google Ads to Deliver Bumblebee Malware

Threat actors frequently employ malicious Google Ads and SEO poisoning to spread malware.

Recently, Secureworks’ Counter Threat Unit (CTU) researchers reported that Cyber attackers are actively using Google Ads and SEO poisoning to distribute the Bumblebee malware, which targets enterprises and is disguised as popular applications such as:-

  • Zoom
  • Cisco AnyConnect
  • ChatGPT
  • Citrix Workspace

In April 2022, Bumblebee, a malware loader, was uncovered as a potential successor to BazarLoader, the Conti group’s previous backdoor.

Bumblebee Malware

Bumblebee, a modular loader, has typically been delivered via phishing and used to distribute payloads linked to ransomware operations.

Trojanizing popular or remote work-related software installers heightens the probability of new infections. Apart from this, CTU researchers examined a Bumblebee sample which is obtained from:-

  • http[:]//appcisco[.]com/vpncleint/cisco-anyconnect-4_9_0195.msi

A threat actor made a fake download page for Cisco AnyConnect Secure Mobility Client v4.x on appcisco[.]com around February 16, 2023.

A compromised WordPress site was used to redirect the user from a malicious Google Ad to the fake download page, starting an infection chain.

Technical Analysis

The BumbleBee malware is installed through the following trojanized MSI installer that is promoted on the fake landing page:-

  • cisco-anyconnect-4_9_0195.msi

When executed, the user’s computer receives a disguised PowerShell script (cisco2.ps1) and a legitimate program installer.

AnyConnect’s genuine installer, CiscoSetup.exe, installs the application on the device inconspicuously, while the PowerScrip script deploys BumbleBee malware and then on the infiltrated device executes malicious activities.

A Bumblebee malware payload, encoded in the PowerShell script, is reflectively loaded into memory, along with renamed functions from the PowerSploit ReflectivePEInjection.ps1 script.

To inject malware into memory, Bumblebee uses the same post-exploitation framework module, enabling it to evade the existing antivirus products without raising any security alarm.

While there are other software packages were also identified by the cybersecurity researchers at Secureworks with similar named file pairs, such as:-

  • ZoomInstaller.exe and zoom.ps1
  • ChatGPT.msi and chch.ps1
  • CitrixWorkspaceApp.exe and citrix.ps1

Mitigation

Here below, we have mentioned all the recommended mitigations:-

  • Only download software installers and updates from known, official, and trusted websites.
  • Ensure that computer users are not allowed to install software and run scripts.
  • To prevent the execution of malware, security tools like AppLocker must be used and enabled.
  • Make sure to use a reputed antivirus solution.
  • Ensure regular backups of your data.

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/google-ads-deliver-bumblebee-malware/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO