Fraudulent advertisements on Google are being used as bait to contaminate computers with Bumblebee ransomware. Malware spreads from fake pages promoting popular applications such as Zoom, ChatGPT, Cisco AnyConnect and Citrix Workspace, with ads appearing prominently in searches related to such solutions.
The alert about the malicious campaign was made by Secureworks researchers, who also detected SEO techniques being used on fraudulent sites. The idea, as always, is to ensure that fake domains come out ahead in searches, even legitimate pages, while ransomware spreads alongside a legitimate version of the software.
Compromised websites, which use the WordPress platform, are also scam accessories – they host fake pages, which simulate the appearance of real company domains and deliver malicious applications. They are actually installed on the machine, but they also come with a PowerShell script that brings BumbleBee to the computer.
Ransomware is loaded into memory and does not come to the attention of antivirus and other security tools. According to Secureworks, the attack also has its hibernation time, with the pest trying to move laterally through the network just three hours after the initial contamination, opening new gateways that are later used in hijacking and theft attacks. data.
Corporations, of course, are the main target of Bumblebee, a malware whose origins would be linked to Conti, one of the main ransomware gangs today. The pest would be being developed since April last year as a replacement for BazarLoader, also widely used by cybercriminals.
The behavior makes experts think of an exploits-as-a-service campaign, with criminals spreading malware widely to later identify compromised networks and sell that access to carry out new attacks. Deploying ransomware as well as stealing data are the usual results of this type of operation.
On the other hand, users can protect themselves by adopting caution when downloading solutions, which must always be done from recognized sites, from the developers themselves, or through official application stores. Avoid clicking on ads in search engines, preferring to access directly the pages of those responsible for the solution, while antivirus and monitoring systems are updated and kept active to identify any sign of trouble.
Source: Secureworks
