Security News > 2023 > April > Google ads push BumbleBee malware used by ransomware gangs
The enterprise-targeting Bumblebee malware is distributed through Google Ads and SEO poisoning that promote popular software like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.
Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.
In September 2022, a new version of the malware loader was observed in the wild, featuring a stealthier attack chain that used the PowerSploit framework for reflective DLL injection into memory.
Researchers at Secureworks have recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver the malware loader to unsuspecting victims.
This fake landing page promoted a trojanized MSI installer named "Cisco-anyconnect-4 9 0195.msi" that installs the BumbleBee malware.
The PowerScrip script installs the BumbleBee malware and conducts malicious activity on the compromised device.