Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page Bumblebee malware distributed via Zenmap, WinMRT SEO poisoning

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 05-26-2025, 12:01 PM
WWW's Avatar

WWW WWW is offline
Junior Member
Join Date: Mar 2024
Posts: 14
Default


The Bumblebee SEO poisoning campaign uncovered earlier this week abusing the RVTools brand is using more typosquatting domains mimicking other popular open-source projects.



BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility.



The Bumblebee malware loader has been pushed through at least two domains - zenmap[.]pro and winmtr[.]org. While the latter is currently offline, the former is still online and shows a fake blog page about Zenmap when visited directly.



When users are redirected to zenmap[.]pro from from search results, though, it shows a clone of the legitimate website for the nmap (Network Mapper) utility:













Fake nmap website delivering Bumblebee-infested installers

The two sites received traffic through SEO poisoning and rank high in Google and Bing search results for the associated terms.













Google Search results

If anyone visits the fake Zenmap site directly, it shows several with AI-generated articles, as seen in the image below:













Innocuous blog loading on direct hits

The payloads delivered through the download section ‘zenmap-7.97.msi’ and ‘WinMTR.msi, and they both evade detection from most antivirus engines on VirusTotal [1, 2].

The installers deliver the promised application along with a malicious DLL, as in the case of RVTools, which drops a Bumblebee loader on users' devices.



From there, the backdoor can be used to profile the victim and introduce additional payloads, which may include infostealers, ransomware, and other types of malware.



Apart from the open-source tools mentioned above, BleepingComputer has also seen the same campaign targeting users looking for Hanwha security camera management software WisenetViewer.



Cyjax’s researcher Joe Wrieden also spotted a trojanized version of the video management software Milestone XProtect being part of the same campaign, the malicious installers being delivered ‘milestonesys[.]org’ (online).



Official RVTools still offline



Both official RVTools domains - Robware.net and RVTools.com - are currently showing a warning for users not to download the software from unofficial sites but don't make available the download link themselves.



Following allegations that the official RVTools site pushed a malware-laced installer, Dell Technologies denied the accusation saying that its sites did not distribute a trojanized variant of the product.



Dell stated that the official RVTools sites were taken offline because they were being the targets of distributed denial-of-service (DDoS) attacks.



One explanation for the attacks would be that the threat actor behind Bumblebee decided to take down the official download portals to drive to the malicious sites users searching for alternative sources for the tool.



To mitigate the risk of installing trojanized versions of legitimate software, the best recommendation is to make sure to get it from official sources and package managers.



It is also worth checking the downloaded installer's hash with a known, clean version before running it.



@ BleepingComputer
 

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 04:13 PM.

Contact Us - Carder.life - Archive - Top