Cybersecurity firm Secureworks has unearthed a different strain of malware that appears to be disguising itself as Google Ads, and it’s rapidly spreading among new victims. Dubbed Bumblebee, the malware was first detected over a year ago, but Secureworks has now highlighted how the threat actor is getting creative by tapping into a trending phenomenon.
Secureworks’ 2022 State of the Threat report discovered an upswing in malicious activity involving trojanized software being disseminated via Google Ads or SEO poisoning, and Bumblebee is just one of several examples of this kind of attack in the wild.
Not only does the malware exist on Google search engines, but there are also multiple examples of it present in popular business applications, such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. When users are misguided into thinking a download is genuine and install it onto their systems, this is when the malware takes hold and gives the threat actor backdoor access and the ability to deploy additional tools, such as Cobalt Strike.
Mike McLellan, the Director of Intelligence at Secureworks, suggested that as many as 1% of online ads contain malicious elements. Similarly, he gave an example of how a victim may become entrapped in the attack: a situation whereby a user attempts to download legitimate software but is instead subject to a malicious remote attack.
This development is a clear indication of just how critical it is that companies conform to stringent policies that prevent the opening of web ads and the granting of privileges to software downloads. Both users and companies should take caution, as the safest practice to take is to request that a company’s IT team is involved in download processes, or for the user to create their own trail to access the genuine website, away from any obvious links or ads.
