Get in Touch
Google ads push Bumblebee malware used by ransomware gangs
Targeting is indiscriminate and opportunistic due to the threat vector of search engine poisoning which is, by nature, an open trap.
Bumblebee is a Windows based malware designed to create initial access on a system, gather system information and serve as a platform to launch further exploitation, commonly through the deployment of ransomware. Using false download pages spread by fraudulent Google ads, end consumers looking for real software are misled into installing the malicious loader. This loader uses an Asynchronous Procedure Call (APC) injection to launch the shellcode from the commands received from the Command and Control (C2), in contrast to most other malware that uses process hollowing or DLL injection. Google’s Threat Analysis Group (TAG) has identified Bumblebee’s operators as Exotic Lily and has established a connection between them and Conti.
Exotic Lily acquires access to vulnerable corporate networks, sells that access to the threat group offering the highest price, and those threat organisations use that access to launch ransomware and other attacks on the target. The group conducts major phishing campaigns, sending as many as 5,000 emails each day to as many as 650 targeted companies worldwide.
Multiple well-known business products, including Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, contain trojanised installers for the Bumblebee malware. This suggests threat actors are seeking to target large businesses over individuals based on the chosen imitation of business applications. Known penetration testing implants like Cobalt Strike, Sliver, and Metasploit are deployed using the malware in the later stages of compromise.
This malware is typically used to create an opening in an organisation’s system that can be sold to threat actors or be used as a launching platform for ransomware or other methods of exploitation. This could lead to attackers initiating an attack with little to no resistance, or encryption and possible destruction of organisational data due to ransomware demands. The exploitation detailed can cause severe financial impact for an organisation and degradation of trust-based relationships with clients.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats such as Bumblebee. EDRs can alert system users of potential breaches and prevent further progress prior to the malware causing severe damage.
The attack procedure typically follows two steps:
- A phishing email would be received with an ISO file type attached, a HTML document with a download link for an ISO file or a ZIP file containing the malicious files
- Excel.xlsb files with Excel 4.0 macros downloaded from Microsoft OneDrive after the user is redirected from a link to download and install Bumblebee files.
Windows OS based devices.
Containment, Mitigations & Remediations
Consider deploying EDR and Next-Generation Antivirus (NGAV) to all devices within your environments to allow for early detection. Detection opportunities include:
- .vbs execution as a scheduled task.
- .dll execution following an ISO container being mounted.
It is also recommended that customers regularly review inbound email policies and consider quarantining attachments from unknown or untrusted senders.
As the malicious practice of SEO poisoning continues to a prominent threat, it is recommended that personnel receive training on how to spot signs of masquerading websites and to avoid accessing sponsored or advertised sites at the top of search engine results.
Indicators of Compromise
Bumblebee associated MD5 hashes
- 59fc 33d8 49f9 ad2a b4e4 b7fe 4b44 3a33
Bumblebee associated SHA-1 hashes
Bumblebee associated SHA-256 hashes
Bumblebee associated SSDEEP hashes
Bumblebee associated domains.
Recent Bumblebee ISO samples:
Recent Bumblebee C2:
The malicious advertising and search engine poisoning threat vector has been on the increase in recent months, with other examples including the distribution of Vidar Stealer via similar methods.
The malware has been observed using fake adverts which are imitating legitimate downloadable files for the following applications: Zoom, ChatGPT, Citrix and Cisco AnyConnect.
Several groups of threat actor groups have been associated with the use of this malware, such as:
- Exotic Lily
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID.
T1566 – Phishing
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter
T1497 – Virtualization/Sandbox Evasion
T1082 – System Information Discovery
T1053 – Scheduled Task/Job
T1012 – Query Registry
T1082 – System Information Discovery
T1552 – Unsecured Credentials
T1021 – Remote Services
T1496 – Resource Hijacking
Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)
Google ads push BumbleBee malware used by ransomware gangs – Cyber Reports Cybersecurity News & Information (cyber-reports.com)
Everything You Need to Know About Bumblebee Malware (avertium.com)