IT security researchers from Secureworks have discovered installers infected with the Bumblebee malware, which are intended to set up popular software from the professional environment. These trojanized installation packages would be advertised using SEO poisoning and malvertising and would thus successfully search for victims.
SEO poisoning is an attack on search engines. As a result, they show the pages of cybercriminals at the top of the list of hits when searching. This lures victims to fake download sites that distribute the malware bundled with the regular installer. In addition, malicious advertisements that refer to the malware would be smuggled into Google Ads. In order not to arouse suspicion, the perpetrators used domain names based on the regular names; an example of a malicious source is about appcisco.com.
Bumblebee malware in trojanized installers
According to IT researchers, the infected installation programs mostly affect popular business software such as Zoom, Cisco AnyConnect, ChatGPT or Citrix Workspace Secureworks in their warning out of. Distributing trojanized installers for software that addresses a currently popular topic, such as ChatGPT, or are commonly used by remote workers, increases the likelihood of new infections.
Bumblebee is a modular so-called loader that reloads other malicious components. So far, it has primarily been distributed using phishing campaigns, often in order to reload malicious code associated with ransomware. A sample now being examined by the IT security researchers comes from the aforementioned source.
The cyber criminals created a fake Cisco AnyConnect Secure Mobility Client v4.x download page around mid-February. This lured victims to the fake download page with malicious Google Ads advertising, which pointed to a compromised WordPress website and redirected to the target page.
Deceptive package: Real installer with a malicious twist
The installer from the website contains two files: the real installer as FILE_InstallMeCiscowhich when running after %Temp%\Package Installation Dir\CiscoSetup.exe is unpacked as well FILE_InstallMeExewhich is in the directory as cisco2.ps1-Powershell script lands. The script contains some renamed functions ReflectivePEInjection.ps1 from the Powersploit collection. With those it loads the also included obfuscated Bumblebee loader into memory. Powersploit is a “PowerShell Post-Exploitation Framework” hosted on Github, somewhat similar to Metasploit.
Secureworks employees observed how attackers started “lateral movements” three hours after infection and implanted themselves in the computer with Cobalt Strike and legitimate remote maintenance software such as AnyDesk and DameWare. They anchored Cobalt Strike with the task manager. In the register C:\ProgramData the cyber burglars placed further scripts, for example for the presumed “Kerberoasting” (stealing or forging of Kerberos tickets), for copying the contents of the Active Directory database and a network scanner. In this specific case, network protection struck at this point and prevented attackers from accessing it before they could cause further damage, such as activating ransomware.
protection recommendations
The IT researchers recommend that organizations should ensure that software installers and updates are only downloaded from known and trusted websites. Users should not be given permissions to install software or run scripts on their machines. Tools like Microsoft’s AppLocker could help here – even if users download malware, it prevents them from running.
Malvertising is increasingly becoming a problem. IT security researchers warned in February that an increase in infected installers of popular software could be observed.
(dmk)