Cyber ​​criminals use Google ads to push Bumblebee malware

Popular Google apps are the channel used by cybercriminals to spread the Bumblebee malware

Researchers have identified a series of malicious attacks that spread the Bumblebee malware to install ransomware on users’ and organizations’ devices, taking advantage of fake pages of popular apps like Zoom or ChatGPT, spread through infected Google online ads.

Bumblebee is a malicious program that is used by cybercriminals as a tool to deliver ransomware to users’ devices. In other words, a form of data hijacking that is normally distributed through ‘phishing’ attacks. Bumblebee is a replacement for the malware known as BazarLoader.

In this framework, SecureWorks researchers have identified several cases of recent attacks. On this occasion, they are spread through infected online ads, such as Google ads, as reported by the SecureWorks Counter Threat Unit (CTU) in a statement on its blog.

The malicious ads were linked to popular applications that users regularly turn to such as Cisco AnyConnect, Zoom or ChatGPT. Thus, cybercriminals use this hook to trick users into installing these legitimate software and unknowingly installing Bumblebee via fake download pages promoting these malicious ads, then gaining access to their system and deploying ransomware.

One of the Bumblebee attacks analyzed by the researchers, which took place in February, used a fake Cisco AnyConnect page (

The cybercriminal created this fake Cisco AnyConnect Secure Mobility download page which was accessed via a malicious ad that was distributed in Google results, sending users to the fake download page via a WordPress site. engaged.

In addition, cybercriminals used other tools to carry out Kerberoasting attacks, which take advantage of the Kerberos computer network authentication protocol to harvest credentials from the Active Directory database. The researchers found the same modus operandi in other cases with related software installers and a PowerShell script name, such as Zoom, which used ZoomInstaller.exe and zoom.ps1, or ChatGPT, which it used ChatGPT.msi and chch.ps1.

To prevent these attacks, CTU researchers have recommended that organizations and users check that installers and program updates are downloaded only from trusted websites.

Source: dpa

(Reference image source: Freestocks, Unsplash)

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram

You might also like