This painful malware targets new victims through Google Ads

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Cybersecurity firm Secureworks has discovered a new malware strain digsuising itself as Google Ads, and it’s spreading quickly.

Known as Bumblebee, the malware was initially discovered over a year ago and would typically spread itself via phishing attacks, but Secureworks has warned the actor behind the malicious download is now getting more creative and jumping on a new trend.

In Securework’s recent 2022 State of the Threat report, it discovered in increase in attacks of trojanized software that are being distributed via Google Ads or SEO poisoning, and Bumblebee is just one of many experimenting with this increasingly popular method.

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 

Bumblebee malware via Google Ads

The malware’s reaches are far beyond the search engine, with examples found across many popular business apps like Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Victims installing what they think is legitimate software from the fake download pages then get infected with the malware.

The firm’s Director of Intelligence, Mike McLellan, explained that as many as 1% of online ads contain malicious content. McLellan described the typical scenario during which a victim is attacked: rather than downloading software via a company’s IT team, many remote workers are taking control and heading online themselves, unaware of the potential risks.

The report details the download of a legitimate Cisco AnyConnect VPN installer “which had been modified to contain the Bumblebee malware.” As a result, the threat actor not only got access to the victim’s system, but also deployed additional tools like Cobalt Strike.

McLellan explains that the new findings only go to demonstrate how important it is that companies have strict policies in place for restricting access to web ads and managing privileges on software downloads.

Beyond this, workers are advised to create their own path direct to the legitimate website rather than follow a stream of links or ads - or to entirely remove themselves from the process and request that their company’s IT team takes over.

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!