Popular software tools such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace have been trojanized to distribute malware known as Bumblebee.
Secureworks’ Counter Threat Unit (CTU) analyzed the findings in a report published Thursday and found that the infection chain of several of these attacks lured users to fake download pages via compromised WordPress sites. said it relied on malicious Google ads to
said Mike McLellan, Director of Intelligence at SecureWorks CTU. “Malicious ads returned in search results are very difficult to spot, even for the most technically savvy.”
One of the attacks Secureworks saw relied on a legitimate Cisco AnyConnect VPN installer that was modified to contain the Bumblebee malware.
Find out more about Bumblebee here.
According to the CTU’s recommendations, it took the attackers only three hours to exploit this entry point and deploy additional tools such as Cobalt Strike and Kerberos scripts.
“From what we have seen, attackers may have intended to deploy ransomware. We stopped it,” added McLellan.
Security experts also said the new tactic targets remote workers who are more likely to use Google to find and download new software rather than going through technical teams, which are likely to be in a more secure environment. I said I’m doing it.
“The shift from phishing to Google Ads isn’t all that surprising. Adversaries take the easy path to money and success. If they do, they will absolutely exploit it,” McLellan said.
“It highlights the importance of having strict policies in place to limit access to web advertising and manage permissions for software downloads. You should not have permission to install software.”
The CTU advisory comes weeks after Morphisec security researchers discovered another malicious campaign that also relied on Google Ads.
