Popular software tools such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace have been trojanized to distribute the malware known as Bumblebee.
Secureworks’ Counter Threat Unit (CTU) analyzed the findings in a report published on Thursday, saying the infection chain for several of these attacks relied on a malicious Google Ad that sent users to a fake download page via a compromised WordPress site.
“As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it,” said Mike McLellan, intelligence director of SecureWorks CTU. “Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”
One of the attacks observed by Secureworks relied on a legitimate Cisco AnyConnect VPN installer modified to contain the Bumblebee malware.
According to the CTU advisory, attackers only took three hours to exploit this entry point to deploy additional tools, including Cobalt Strike and a Kerberoasting script.
“Based on what we saw, the threat actor probably intended to deploy ransomware. Fortunately, network defenders detected and stopped them before they were able to do so,” McLellan added.
The security expert also noted that the new tactic targets remote workers, who are likely to use Google to find and download new software, rather than going through their tech team, which is likely located in a more secure environment.
“The shift from phishing to Google Ads is not that surprising. Adversaries follow the money and the easy route to success. If this proves to be a better way of getting access to corporate networks, then they will absolutely exploit it,” McLellan said.
“What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers.”
The CTU advisory comes weeks after security researchers at Morphisec spotted a separate malicious campaign also relying on Google Ads.