Attack Vector Through Search Engine Poisoning
A sophisticated cyberattack campaign has been uncovered where threat actors manipulated Bing search results to target IT administrators. By poisoning search engine optimization (SEO) results for the popular network monitoring tool ManageEngine OpManager, attackers redirected users to a fraudulent download page at opmanager[.]pro. This deceptive site closely mimicked the legitimate software distribution page and served a trojanized MSI installer to victims.
The malicious installer deployed the BumbleBee loader through DLL side-loading, exploiting the Windows search order to execute within a trusted process. This initial compromise occurred when an IT administrator searched Bing for the software and clicked on the poisoned result, demonstrating how routine operational tasks can become entry points for devastating intrusions.
Execution and Impact of the Multi Stage Attack
Once inside the network, the attackers demonstrated careful planning over approximately 44 hours. They established persistent access using AdaptixC2 beacons, created unauthorized domain administrator accounts, and installed remote access software like RustDesk as Windows services. The threat actors extracted over 75GB of sensitive data, including the Active Directory database and Veeam backup credentials, which they exfiltrated to a server in Ukraine.
The final stage involved deploying Akira ransomware across the entire network. The ransomware used Windows Management Instrumentation to delete Volume Shadow Copies before encrypting systems. The attackers returned two days later to encrypt a child domain, ensuring comprehensive damage. This incident highlights the risk of SEO poisoning against enterprise management tools and the importance of verifying software download sources directly through official vendor channels.
Source: Cyber Security News
