IT security researchers from Secureworks have discovered the Bumblebee malware in installers for popular business software like Citrix Workspace, ChatGPT, Zoom, and Cisco AnyConnect. These trojanized installation packages were advertised using SEO poisoning and malvertising, using domain names based on the regular ones. Victims are lured into fake download sites that distribute the malware bundled with the regular installer through malicious advertisements that refer to the malware smuggled into Google Ads.
Bumblebee is a modular loader that reloads other malicious components. It has been distributed primarily through phishing campaigns to reload malicious code associated with ransomware. The infected installers increase the likelihood of new infections, as they affect software that is currently popular, commonly used by remote workers.
The installer from the website contains two files: the real installer, which is extracted to %Temp%Package Installation DirCiscoSetup.exe, and a powershell script containing renamed functions from ReflectivePEInjection.ps1 from the Powersploit collection. It loads the obfuscated Bumblebee loader into memory.
The attackers started “lateral movements” three hours after infection and implanted themselves in the computer with Cobalt Strike and legitimate remote maintenance software like AnyDesk and DameWare. In this specific case, network protection prevented attackers from accessing it before they could cause further damage, such as activating ransomware.
IT researchers recommend ensuring that software installers and updates are only downloaded from known and trusted websites. Users should not be given permissions to install software or run scripts on their machines. Tools like Microsoft’s AppLocker could help prevent users from running malware. Malvertising is increasingly becoming a problem, leading to an increase in infected installers of popular software.
