Bumblebee Malware Delivers Akira Ransomware via SEO Poisoning Campaign Targeting IT Admins
A new SEO poisoning campaign on Bing targets users searching for ManageEngine OpManager, delivering Bumblebee malware that leads to Akira ransomware deployment within 44 hours.
TheDFIRReport has documented a sophisticated intrusion chain that begins with SEO poisoning on Bing, targeting users searching for ManageEngine OpManager. Victims are directed to a malicious site, opmanager[.]pro, where they download a trojanized MSI installer. This installer drops the legitimate software while simultaneously loading the Bumblebee malware via msimg32.dll, executed through consent.exe.
Bumblebee, an initial access tool active since late 2021, establishes command and control with servers at 109.205.195[.]211:443 and 188.40.187[.]145:443 using DGA domains. Approximately five hours after initial execution, Bumblebee deploys an AdaptixC2 beacon (AdgNsy.exe), which opens a new C2 channel to 172.96.137[.]160:443. The threat actor then conducts internal reconnaissance using built-in Windows utilities like systeminfo, nltest, and net group.
The attackers create two new domain accounts, backup_DA and backup_EA, adding the latter to Enterprise Administrators. Using the privileged account, they connect to a domain controller via RDP and dump the NTDS.dit file using wbadmin.exe. For persistence, they install RustDesk remote access tool and establish an SSH tunnel to an external server at 193.242.184[.]150. They also deploy a renamed SoftPerfect network scanner and attempt to dump credentials from a Veeam PostgreSQL database.
Data exfiltration is performed via FileZilla SFTP to 185.174.100[.]203. LSASS memory dumping on multiple workstations is achieved using rundll32.exe with comsvcs.dll. The Akira ransomware payload, locker.exe, is then executed with various command-line options to encrypt local and remote network shares. The time to first ransomware deployment is just under 44 hours from initial access.
Two days later, the threat actor returns via RustDesk, connects to a child domain controller, and performs additional discovery before deploying Akira ransomware to the child domain. Swisscom B2B CSIRT confirmed a similar intrusion where a malicious IT tool dropped Bumblebee and also ended with Akira ransomware, indicating a multi-organization campaign. The DFIR Report also identified two additional websites distributing trojanized installers for Axis Camera tools and Angry IP Scanner.
This campaign highlights the effectiveness of SEO poisoning in targeting IT administrators, who often have high privileges, making them ideal initial access vectors. The use of Bumblebee as a loader and AdaptixC2 for C2 demonstrates a modular approach that allows attackers to pivot quickly to ransomware deployment. Organizations are advised to monitor for suspicious downloads of IT management tools and implement strict application whitelisting.