More legitimate tools spoofed to spread Bumblebee malware

Popular open-source network traffic analysis programs Zenmap and WinMTR had their websites impersonated to facilitate the distribution of Bumblebee malware, which was recently found to have been spread via trojanized installers for the widely used VMware environment reporting utility RVTools, BleepingComputer reports.

Threat actors leveraged SEO poisoning to ensure the visibility of the zenmap[.]pro and now offline winmtr[.]org domains in search results, with both websites containing download sections that enabled the delivery of the stealthy 'zenmap-7.97.msi' and 'WinMTR.msi' payloads that included a malicious DLL launching a Bumblebee loader, according to BleepingComputer, which also noted the same scheme to have been used for the Hanwha security camera management software WisenetViewer. Bumblebee malware was also discovered by Cyjax researcher Joe Wrieden to have been deployed through trojanized Milestone XProtect video management software installers. Such developments come as Dell Technologies, which manages RVTools, took down RVTools domains due to ongoing distributed denial-of-service attacks while refuting the compromise of the sites to deliver trojanized installers.