Secureworks has discovered malware in online advertising
Secureworks has found that Bumblebee malware is being spread through malicious online advertising, such as Google ads.
Bumblebee was first discovered in March 2022 and is known for primarily being distributed through phishing attacks to deliver ransomware.
Secureworks’ new finding fits with the overall increase the cybersecurity leader has seen in attacks that involve trojanised software distributed through malicious Google Ads or SEO poisoning.
The discovery is the work of Secureworks’ Counter Threat Unit (CTU), which found Bumblebee malware had been distributed through trojanised installers across a range of popular business software, including Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace.
Attackers trick end users looking for genuine software into installing the malicious loader through malicious Google Ads that lead to fake download pages.
“Remote workers might be looking to install new software on their home IT set up. For a quick solution they could look online, rather than go through their tech team - if they even have one. But research shows that as many as one in every 100 adverts online contains malicious content,” says Mike McLellan, Director of Intelligence, Secureworks CTU.
“As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
CTU researchers found one instance where a user had followed a Google Ad to download a legitimate Cisco AnyConnect VPN installer that had been modified to contain the Bumblebee malware.
A threat actor was inside their system within hours, deploying additional tools such as Cobalt Strike and kerberoasting script, attempting to move laterally.
“Based on what we saw, the threat actor probably intended to deploy ransomware. Fortunately, network defenders detected and stopped them before they were able to do so,” McLellan adds.
“The shift from phishing to Google Ads is not that surprising. Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks, then they will absolutely exploit it.
“What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers.”
Secureworks CTU says in the wake of adversaries using online ads and tactics such as SEO poisoning, the best way businesses can protect their teams and their network is to put in place restrictions and controls that limit a user’s ability to click on Google Ads.
Further, the company suggests organisations ensure software installers and updates are only downloaded from trusted and verified websites.