Security Stinger: Bumblebee Malware is Buzzing Around Google Ads

The malware loader Bumblebee has been floating around Google ads and other advertising platforms posing as legitimate software installers.

That’s according to research by the security firm Secureworks CTU, which discovered that hackers are distributing Bumblebee malware through trojanised installers for a variety of popular business software including Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace. 

Users looking for legitimate software are instead being stung by the malicious loader, tricked into installing malware via imitation download pages spread through Google ads.  

“Remote workers might be looking to install new software on their home IT set-up. For a quick solution, they could look online, rather than go through their tech team - if they even have one,” said Mike McLellab, Director of Intelligence at Secureworks. 

“As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it.” Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge,” Mr McLellab added. 

In one case investigated by researchers, a user followed a Google Ad to download a legitimate Cisco AnyConnect VPN installer which had been modified to contain the Bumblebee malware. 

In the space of a few hours, a threat actor accessed their system, deployed additional tools including Cobalt Strike and a kerberoasting script, and attempted to move laterally.

“Based on what we saw, the threat actor probably intended to deploy ransomware. Fortunately, network defenders detected and stopped them before they were able to do so, Mr Mcellab said. 

Bumblebee Stings Google ads

Bumblebee malware, originally discovered in March 2022, has traditionally been distributed via phishing attacks to deliver ransomware. 

It is an evolved loader with advanced anti-analysis and anti-detection features and was assumed to replace other loaders, such as BazarLoader, in initial compromise attacks followed by ransomware deployment.

Previously, Bumblebee reached victims via emails carrying password-protected zipped ISO files that contained an LNK (for executing the payload) and a DLL file

But, as Secureworks found,  hackers have turned to Google ads in a bid to propagate the malware to online users, taking advantage of current trends to find more victims to target. 

Mr McLellab said that this shift was not surprising, given that advertising allows hackers to pollinate victims with malware with little effort and large financial benefit. 

“Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks then they will absolutely exploit it. 

To read more about malware, visit our dedicated Business Continuity Page. 

“What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers,” concluded McLellan.

Protecting against the Malware Stinger

A recent report by Publift revealed that as many as 1 in every 100 ads online may be injected with malicious content, making it difficult for businesses to stay on top of the threat to counter these potentially crippling malvertising attacks. 

McLellan encouraged organisations to better protect themselves by removing access to Google Ads to prevent employees from clicking on malicious ads while using company devices.  

“As adversaries use online ads and SEO poisoning, organisations can protect their teams and their network by implementing restrictions and controls which limit users’ ability to click on Google Ads. 

“Organisations should also ensure that software installers and updates are only downloaded from trusted and verified websites.”