A stealthy malware loader known as Bumblebee is being distributed via trojanized installers for popular software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, according to Secureworks’ Counter Threat Unit (CTU).
Bumblebee is a relatively new threat that seems to act as a sophisticated downloader bypassing most virtualization checks by implementing its own unique capabilities. Bumblebee has been observed deploying various malicious tools like Cobalt Strike, shellcode, Sliver, and Meterpreter. According to past reports, Bumblebee has been used by at least three cybercriminal groups associated with ransomware actors. Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol.
The CTU says that the infection chain observed in the new campaign used Google advertisements that sent users to a fake download page via a compromised WordPress site.
In one case, the attack started with a Google ad that promoted a fake Cisco AnyConnect Secure Mobility Client download page hosted on an “appcisco[.]com” domain. This fake page offered a trojanized MSI installer that installs the BumbleBee malware.
Secureworks notes that threat actors only took three hours to move laterally within the compromised environment after initial infection. The tools deployed by attackers on the hacked system included Cobalt Strike, the legitimate AnyDesk and DameWare remote access tools, as well as a network scanning utility, an AD database dumper, and a Kerberos credentials stealer.