Fake advertisements for well-known programs such as ChatGPT, Zoom, and Citrix Workspace are distributing the Bumblebee malware loader, which, according to experts, was developed by the Conti hack group to replace the BazarLoader backdoor.
In April 2022, Bumblebee was first discovered. As researchers explained at the time, it is a multifunctional tool that can be used to initially access victims’ networks and subsequently deploy other payloads, including ransomware.
Secureworks researchers have now reported that attackers have recently launched a new campaign to distribute Bumblebee. This time, they are using Google Ads to promote trojanized versions of various popular apps.
For example, one of the campaigns started with an ad on Google and then took the victim to a fake Cisco AnyConnect Secure Mobility Client download page created on February 16, 2023 and hosted on the appcisco[.]com domain on a compromised WordPress site.
Instead of the desired software on this site, the user received a malicious MSI installer named cisco-anyconnect-4_9_0195.msi, which installed Bumblebee. Along with the real AnyConnect, the installer copied the cisco2.ps1 PowerShell script to the victim’s machine.
Secureworks analysts noted that the PowerShell script contains a set of renamed functions copied from PowerSploit’s ReflectivePEInjection.ps1. It also contains an encoded Bumblebee payload that is automatically loaded into memory.
This malicious campaign is clearly targeting corporate users, and infected devices become entry points for ransomware. Analysts at Secureworks took a closer look at one such Bumblebee attack and found that the attackers used their access to a compromised system to traverse the organization’s network within three hours of the initial infection.
