Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Be careful installing any old Zoom, ChatGPT, or Citrix Workspace found at the top of search results—the download may sting you.
Researchers from Secureworks noted ransomware-linked Bumblebee malware hiding out in Trojanized installers—a troubling shift in tactics, according to at least one member of the cybersecurity-software team.
“If you happened to be at work or on your work computer when you download the software, you’re potentially going to give access to your corporate network for those criminals who are people running this campaign,” said Mike McLellan, director of intelligence at Secureworks. “And that could then lead to a multimillion-dollar ransomware event potentially.”
The attack chain
- An end user looks for third-party software, such as VPNs, ChatGPT, or an endpoint agency like Cisco AnyConnect.
- Through a redirect here and there, often on compromised WordPress sites, an employee goes to a landing page that serves up the software they’re looking for, along with malware.
- That malware connects to a command-and-control infrastructure, giving criminals a foothold on a machine and the ability to download other penetration-test tools such as Cobalt Strike to compromise a network.
Cybercriminals have a history of using organic search results to infect victims, through pages optimized for search or ranked highly thanks to ad payments.
The malware loader Bumblebee, discovered in early 2022, previously found its way into networks and devices via email, with zipped ISO files.
While email filters can catch phishing messages, and vendors like Microsoft disabled macros to prevent malware installations, the better tactics may just be the ones that end users do on their own. In the noted Bumblebee attack, an end user essentially looks for a tool and downloads it.
“The best way to socially engineer someone, to trick someone, is for them to think it’s their idea,” McLellan said.
Companies such as Google, which did not reply to a response for comment, have proprietary technology and malware detection tools to scan advertisements, as well as policies to remove instances of malvertising.
Google recently reported that in 2022 the company blocked or removed 142 million advertisements for violating its misrepresentation policy.
Phil Mason, new UK CEO at the IT service management CyberCX, recommends a proxy server, which restricts specified IP addresses, domains, and connections. Mason also suggests strong endpoint-security and SIEM tools to recognize malicious activity on a network.
“Ultimately users shouldn’t be installing software outside of a corporate policy; that’s what it comes down to,” Mason said.
Secureworks recommended only downloading installers from trusted sites; restricting user-installation privileges (through a centralized management system, McLellan said); and using Windows tools such as AppLocker to prevent the execution of accidentally downloaded malware.
The Trojanized technique may be especially effective on busy-bee employees who want to quickly find software and install it to be productive.
“The concern is that it’s very easy for people to fall for this tactic if they’re not paying attention to where they're going to download the software from,” McLellan said.