The bumblebee malware, first spotted last year targeting enterprise users is now distributed via SEO poisoning and Google Ads, which promote popular software such as Zoom, Cisco AnyConnect, the Chat GPT and Citrix Workspace.
Bumblebee malware
A new version of the BumbleBee malware was recently discovered in the wild, with a more stealthy attack chain that used the PowerSploit framework for reflective DLL injection into memory. This allows the malware to load into memory without being detected by existing antivirus products, making detection and prevention more difficult.
“Remote workers might be looking to install new software on their home IT setup. For a quick solution they could look online, rather than go through their tech team – if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” said Mike McLellan, director of intelligence at the Secureworks CTU.
“As people look for new tech, or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
The tools that the attackers deployed in the compromised environment include the Cobalt Strike pen-test suite, the remote tools access AnyDesk and LadyWare, network scanning utilities, a AD database dumper and a Kerberos credential stealer.
The Secureworks team recommends that as threat actors ramp up their use of online ads and SEO poisoning techniques, organisations move to protect their teams, especially remote users, and networks by implementing restrictions and controls that limit the ability to click on Google adverts.
IOCS
appcisco
e4a5383ac32d5642eaf2c7406a0f1c0f – MD5 hash
3e5637d253c40aefdb0465df15bc057e
d5c26186 – SHA1 hash
d99b63e1740aa4f779b91d22f508a479 – SHA256 hash
2f237f09413d24b51144e0694af5d34f
6f7e07b84897cccab30594305416d36f – MD5 hash
6d1d531c921a17b36e792e2843311e27 – SHA256 hash
b9aa77a4
173.44.141.131 – IP address
23.82.140.131 – IP address
23.81.246.22:443 – IP address:port
95.168.191.134:443 – IP address:port
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment