Browser Based-Threat Alert: Bumblebee Malware Campaign – When Malicious Ads Meet Compromised Websites

The threat landscape is continuously evolving, and cybercriminals are employing new and sophisticated tactics to target their victims. We have previously written about attacks utilizing “Search Engine Optimization (SEO) poisoning” on Google Ads to link to malware delivery sites. In SEO poisoning attacks, actors purchase Google Ads on targeted search terms to cause Google to serve malicious links in ads that are crafted to look like legitimate trusted web sites. 

One such campaign was recently observed by Secureworks’ Counter Threat Unit (CTU) researchers. It involves the distribution of Bumblebee malware via trojanized installers for popular software, such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Bumblebee, a modular loader, has historically been delivered through phishing and is commonly associated with ransomware deployments. The current campaign, however, leverages malicious Google Ads and compromised WordPress sites as the initial attack vectors to infect victims’ systems.  

The researchers analyzed one of the Bumblebee samples and found that the infection chain began with a malicious Google Ad that redirected users to a fake download page for Cisco AnyConnect Secure Mobility Client. The fake page was hosted on the domain “appcisco[.]com,” which was created by the threat actor on or around February 16, 2023. This malicious redirection occurred via a compromised WordPress site. Once on the fake page, victims would download the trojanized installer, which contained an MSI file that executed two files when run. The first file was a legitimate installer for the Cisco AnyConnect VPN application, while the second was a malicious PowerShell script with an encoded Bumblebee malware payload.  

The campaign’s success relied on the effective use of malicious Google Ads and the compromise of WordPress sites. By combining these tactics, the attacker was able to redirect victims to fake download pages that appeared legitimate, enticing them to download and run the trojanized installers. The attacker’s objective, as observed in one compromised environment, was to deploy ransomware. However, in this particular case, network defenders detected and disrupted the attacker’s activity before they could achieve their goal. 

Fortunately, ConcealBrowse can defeat SEO poisoning attacks like this one. Because ConcealBrowse brings zero trust principles to the browser, even the most convincing ads can quickly be detected and blocked, preventing users from downloading malicious files or providing their sensitive information, even if they don’t realize the site is fake and malicious. 

The Bumblebee malware campaign serves as a cautionary tale of how cybercriminals can exploit online advertising platforms and compromised websites to distribute malware. Organizations must remain vigilant and adopt solutions like ConcealBrowse to proactively detect and isolate threats and safeguard their digital assets. Click here to try ConcealBrowse for free today.