Bumblebee Malware Distributed Via Trojanized Installer Downloads

Using
malicious
Google
Ads
or

SEO
poisoning
to
distribute
malware
has
become
a
common
tactic
for
cybercriminals.
For
example,
in
the
Secureworks®

2022
State
of
the
Threat
report,
Counter
Threat
Unit™
(CTU)
researchers
described
legitimate
web
searches
being
hijacked
by
SEO
poisoning
to
infect
victims’
systems
with
Gootloader,
and
malicious
Google
Ads
bundling
infostealers
like
RedLine
in
trojanized
installers
for
messaging
apps
such
as
Signal.

Recently,
CTU™
researchers
observed
Bumblebee
malware
distributed
via
trojanized
installers
for
popular
software
such
as
Zoom,
Cisco
AnyConnect,
ChatGPT,
and
Citrix
Workspace.
Bumblebee
is
a
modular
loader,
historically
distributed
primarily
through
phishing,
that
has
been
used
to
deliver
payloads
commonly
associated
with
ransomware
deployments.
Trojanizing
installers
for
software
that
is
particularly
topical
(e.g.,
ChatGPT)
or
software
commonly
used
by
remote
workers
increases
the
likelihood
of
new
infections.

One
of
the
Bumblebee
samples
CTU
researchers
analyzed
was
downloaded
from
http:
//appcisco
.
com/vpncleint/cisco-anyconnect-4_9_0195.msi.
On
or
around
February
16,
2023,
a
threat
actor
created
a
fake
download
page
for
Cisco
AnyConnect
Secure
Mobility
Client
v4.x
(see
Figure
1)
on
the
appcisco
.
com
domain.
An
infection
chain
that
began
with
a
malicious
Google
Ad
sent
the
user
to
this
fake
download
page
via
a
compromised
WordPress
site.

Figure
1.
Malicious
web
page
serving
trojanized
Cisco
AnyConnect
VPN
installer.
(Source:
DomainTools)

The
cisco-anyconnect-4_9_0195.msi
file
is
an
MSI
installer
that
contains
two
files
(see
Figure
2).

Figure
2.
Contents
of
trojanized
Cisco
AnyConnect
VPN
installer.
(Source:
Secureworks)

When
the
MSI
installer
is
executed,
renamed
versions
of
these
two
files
are
copied
to
the
“%Temp%Package
Installation
Dir”
folder
(see
Figure
3)
and
executed.

Figure
3.
Renamed
contents
of
trojanized
Cisco
AnyConnect
installer.
(Source:
Secureworks)

FILE_InstallMeCisco
(renamed
to
CiscoSetup.exe)
is
a
legitimate
installer
for
the
Cisco
AnyConnect
VPN
Secure
Mobility
Client
application.
FILE_InstallMeExe
(renamed
to
cisco2.ps1)
is
a
PowerShell
script.
CTU
researchers
identified
other
samples
that
used
the
same
technique
with
a
different
software
installer
and
related
PowerShell
script
name,
such
as
Zoom
(ZoomInstaller.exe
and
zoom.ps1),
ChatGPT
(ChatGPT.msi
and
chch.ps1)
and
Citrix
(CitrixWorkspaceApp.exe
and
citrix.ps1).

The
PowerShell
script
contains
a
selection
of
renamed
functions
copied
from
the
PowerSploit
ReflectivePEInjection.ps1
script.
It
also
contains
an
encoded
Bumblebee
malware
payload
that
it
reflectively
loads
into
memory.

In
one
compromised
environment,
CTU
researchers
observed
the
threat
actor
moving
laterally
approximately
three
hours
after
infection,
and
deploying
Cobalt
Strike
as
well
as
the
legitimate
AnyDesk
and
DameWare
remote
access
tools.
The
attacker
used
a
Scheduled
Task
named
WindowsSensor15
as
a
persistence
mechanism
for
Cobalt
Strike.
Additional
tools
deployed
by
the
threat
actor
included
pshashes.txt,
which
is
likely
a
script
for
conducting

Kerberoasting
attacks;
a
batch
script
to
dump
the
contents
of
the
Active
Directory
database;
and
a
network
scanning
utility
(netscanold.exe).
These
tools
were
dropped
in
the
C:ProgramData
directory.
Network
defenders
detected
the
activity
and
disrupted
access
before
the
attacker
achieved
their
objective,
which
was
likely
to
deploy
ransomware.

To
mitigate
this
and
similar
threats,
organizations
should
ensure
that
software
installers
and
updates
are
only
downloaded
from
known
and
trusted
websites.
Users
should
not
have
privileges
to
install
software
and
run
scripts
on
their
computers.
Tools
such
as

AppLocker
can
prevent
malware
from
being
executed
even
if
it
is
inadvertently
downloaded.

CTU
researchers
identified
numerous
indicators
associated
with
this
threat
(see
Table
1).
Due
to
the
large
number
of
C2
IP
addresses
extracted
from
the
Bumblebee
malware
configuration
data,
the
table
only
lists
a
subset.
However,
all
identified
indicators
have
been
applied
to
Secureworks
customer
protections.
Note
that
IP
addresses
can
be
reallocated.
The
IP
addresses
and
domains
may
contain
malicious
content,
so
consider
the
risks
before
opening
them
in
a
browser.

Table
1.
Indicators
for
this
threat.

If
you
need
urgent
assistance
with
an
incident,
contact
the

Secureworks
Incident
Response
team.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts