Using malicious Google Ads or SEO poisoning to distribute malware has become a common tactic for cybercriminals. For example, in the Secureworks® 2022 State of the Threat report, Counter Threat Unit™ (CTU) researchers described legitimate web searches being hijacked by SEO poisoning to infect victims’ systems with Gootloader, and malicious Google Ads bundling infostealers like RedLine in trojanized installers for messaging apps such as Signal.
Recently, CTU™ researchers observed Bumblebee malware distributed via trojanized installers for popular software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Bumblebee is a modular loader, historically distributed primarily through phishing, that has been used to deliver payloads commonly associated with ransomware deployments. Trojanizing installers for software that is particularly topical (e.g., ChatGPT) or software commonly used by remote workers increases the likelihood of new infections.
One of the Bumblebee samples CTU researchers analyzed was downloaded from http: //appcisco . com/vpncleint/cisco-anyconnect-4_9_0195.msi. On or around February 16, 2023, a threat actor created a fake download page for Cisco AnyConnect Secure Mobility Client v4.x (see Figure 1) on the appcisco . com domain. An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site.
Figure 1. Malicious web page serving trojanized Cisco AnyConnect VPN installer. (Source: DomainTools)
The cisco-anyconnect-4_9_0195.msi file is an MSI installer that contains two files (see Figure 2).
Figure 2. Contents of trojanized Cisco AnyConnect VPN installer. (Source: Secureworks)
When the MSI installer is executed, renamed versions of these two files are copied to the “%Temp%\Package Installation Dir” folder (see Figure 3) and executed.
Figure 3. Renamed contents of trojanized Cisco AnyConnect installer. (Source: Secureworks)
FILE_InstallMeCisco (renamed to CiscoSetup.exe) is a legitimate installer for the Cisco AnyConnect VPN Secure Mobility Client application. FILE_InstallMeExe (renamed to cisco2.ps1) is a PowerShell script. CTU researchers identified other samples that used the same technique with a different software installer and related PowerShell script name, such as Zoom (ZoomInstaller.exe and zoom.ps1), ChatGPT (ChatGPT.msi and chch.ps1) and Citrix (CitrixWorkspaceApp.exe and citrix.ps1).
The PowerShell script contains a selection of renamed functions copied from the PowerSploit ReflectivePEInjection.ps1 script. It also contains an encoded Bumblebee malware payload that it reflectively loads into memory.
In one compromised environment, CTU researchers observed the threat actor moving laterally approximately three hours after infection, and deploying Cobalt Strike as well as the legitimate AnyDesk and DameWare remote access tools. The attacker used a Scheduled Task named WindowsSensor15 as a persistence mechanism for Cobalt Strike. Additional tools deployed by the threat actor included pshashes.txt, which is likely a script for conducting Kerberoasting attacks; a batch script to dump the contents of the Active Directory database; and a network scanning utility (netscanold.exe). These tools were dropped in the C:\ProgramData directory. Network defenders detected the activity and disrupted access before the attacker achieved their objective, which was likely to deploy ransomware.
To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites. Users should not have privileges to install software and run scripts on their computers. Tools such as AppLocker can prevent malware from being executed even if it is inadvertently downloaded.
CTU researchers identified numerous indicators associated with this threat (see Table 1). Due to the large number of C2 IP addresses extracted from the Bumblebee malware configuration data, the table only lists a subset. However, all identified indicators have been applied to Secureworks customer protections. Note that IP addresses can be reallocated. The IP addresses and domains may contain malicious content, so consider the risks before opening them in a browser.
| Indicator | Type | Context |
|---|---|---|
| appcisco.com | Domain name | Bumblebee malware staging server |
| e4a5383ac32d5642eaf2c7406a0f1c0f | MD5 hash | MSI file (cisco-anyconnect-4_9_0195.msi) containing Bumblebee malware |
|
3e5637d253c40aefdb0465df15bc057e d5c26186 |
SHA1 hash | MSI file (cisco-anyconnect-4_9_0195.msi) containing Bumblebee malware |
|
d99b63e1740aa4f779b91d22f508a479 2f237f09413d24b51144e0694af5d34f |
SHA256 hash | MSI file (cisco-anyconnect-4_9_0195.msi) containing Bumblebee malware |
| 522c0b0d445c62cdeb0a80bcce645d57 | MD5 hash | MSI file (ProductCitrix.msi) containing Bumblebee malware |
|
5dad52c67d114f7a3a5a1e7ae5b15b58 1054d468 |
SHA1 hash | MSI file (ProductCitrix.msi) containing Bumblebee malware |
|
957639998125a31c998b0104dba7f463 d0659716a0a5b62fcc82eb28a0c0477b |
SHA256 hash | MSI file (ProductCitrix.msi) containing Bumblebee malware |
| 6f7e07b84897cccab30594305416d36f | MD5 hash | MSI file (ChatGPT_Setup.msi) containing Bumblebee malware |
|
6d1d531c921a17b36e792e2843311e27 b9aa77a4 |
SHA1 hash | MSI file (ChatGPT_Setup.msi) containing Bumblebee malware |
|
9982330ae990386cd74625f0eaa26ae6 97574694eb2ec330c2acac5e0149fdc0 |
SHA256 hash | MSI file (ChatGPT_Setup.msi) containing Bumblebee malware |
| 711482ca4d5dcaf0aec4c7c4b3e1bef1 | MD5 hash | MSI file containing Bumblebee malware |
|
77b9050f2b974bc67996b6435520b557 a6ad1303 |
SHA1 hash | MSI file containing Bumblebee malware |
|
e10dbd4a903b0fa82db9794df6496afe 17c98a166253d425f3535959110909a3 |
SHA256 hash | MSI file containing Bumblebee malware |
| 173.44.141.131 | IP address | C2 server associated with Bumblebee malware activity (February 2023) |
| baveyek.com | Domain name | Cobalt Strike C2 server |
| 23.82.140.131 | IP address | Hosting Cobalt Strike C2 server (baveyak.com) (February 2023) |
| 172.93.193.3:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 23.81.246.22:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 95.168.191.134:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 104.168.175.78:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 172.93.193.46:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 157.254.194.104:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 37.28.157.29:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 23.106.124.23:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 194.135.33.182:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 54.38.139.94:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 192.119.65.175:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 107.189.8.58:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 205.185.114.241:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 104.168.171.159:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 103.144.139.159:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 91.206.178.204:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 198.98.58.184:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 172.241.27.120:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 23.106.223.197:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 23.108.57.83:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 54.37.131.232:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 23.82.128.11:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 160.20.147.91:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 103.175.16.10:443 | IP address:port | C2 server extracted from Bumblebee configuration data (February 2023) |
| 45.61.187.225 | IP address | C2 server extracted from Bumblebee configuration data (March 2023) |
| 91.206.178.68 | IP address | C2 server extracted from Bumblebee configuration data (March 2023) |
| 193.109.120.252 | IP address | C2 server extracted from Bumblebee configuration data (March 2023) |
Table 1. Indicators for this threat.
If you need urgent assistance with an incident, contact the Secureworks Incident Response team.