Cybersecurity firm Secureworks has discovered a new malware strain digsuising itself as Google Ads, and it’s spreading quickly.
Known as Bumblebee, the malware was initially discovered over a year ago and would typically spread itself via phishing attacks, but Secureworks has warned the actor behind the malicious download is now getting more creative and jumping on a new trend.
In Securework’s recent 2022 State of the Threat report, it discovered in increase in attacks of trojanized software that are being distributed via Google Ads or SEO poisoning, and Bumblebee is just one of many experimenting with this increasingly popular method.
Bumblebee malware via Google Ads
The malware’s reaches are far beyond the search engine, with examples found across many popular business apps like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Victims installing what they think is legitimate software from the fake download pages then get infected with the malware.
The firm’s Director of Intelligence, Mike McLellan, explained that as many as 1% of online ads contain malicious content. McLellan described the typical scenario during which a victim is attacked: rather than downloading software via a company’s IT team, many remote workers are taking control and heading online themselves, unaware of the potential risks.
The report details the download of a legitimate Cisco AnyConnect VPN installer “which had been modified to contain the Bumblebee malware.” As a result, the threat actor not only got access to the victim’s system, but also deployed additional tools like Cobalt Strike.
McLellan explains that the new findings only go to demonstrate how important it is that companies have strict policies in place for restricting access to web ads and managing privileges on software downloads.
Beyond this, workers are advised to create their own path direct to the legitimate website rather than follow a stream of links or ads – or to entirely remove themselves from the process and request that their company’s IT team takes over.