With more and more malware types and attack vectors exploiting Google Ads, security researchers at Secureworks have discovered a new malware strain called Bumblebee that’s impersonating itself Google Ads and spreading via phishing attacks. The discovery comes as a part of Securework’s 2022 State of the Threat report which reports an increase in attacks distributed via Google Ads or SEO poisoning.
The malware is also not limited to Google Ads, with the threat actors also impersonating popular programs and services including Zoom, Cisco AnyConnect VPN, ChatGPT and Citrix Workspace. Victims are tricked into thinking that they’re downloading legitimating programs while in reality the installers have been modified to contain the malware.
One prominent example of this is Cisco’s AnyConnect VPN where the legitimate installer installs the Bumblebee malware alongside the VPN. Once the malware is installed, it can get access the victim’s system and install additional payloads like Cobalt Strike as well as legitimate remote access tools like AnyDesk and DameWare.
The Secureworks report suggests that organisations ensure that software installers and updates are only downloaded from known and trusted websites as the first mitigation to this and similar threats. Additionally, users shouldn’t be given privileges to install software and run scripts on deployed computers that might offer access to an organisation’s network.
Hackers using fake installers or abusing Google Ads to spread malware isn’t anything new either. In January 2023 Cyble researchers discovered an IceID malware campaign that was infecting users by impersonating a Zoom installer in a similar manner to Bumblebee. In the same month, the Rhadamanthys malware was also found to be employing similar Google Ads-based tactics to spread.
In the News: University sites targeted to serve Fortnite spam via Wiki apps