RVTools Compromised in Supply Chain Attack Distributing Bumblebee Malware

The official RVTools website, a management tool for VMware, has fallen victim to a supply chain attack, resulting in the distribution of a compromised installer that delivers the Bumblebee malware loader to users’ systems.

Currently, the official websites, rvtools.com and robware.net, are offline, displaying warnings against downloading the utility from unverified sources. The notice on the sites does not provide a timeline for when they will be restored, stating, “We are working expeditiously to restore service and appreciate your patience.” It emphasizes that these two domains are the only authorized platforms for downloading RVTools software, cautioning users to avoid any other sources.

RVTools, originally created by Robware and now maintained by Dell, is a critical utility for Windows that offers extensive inventory and health reporting for VMware vSphere environments. Its importance in the VMware administration space has been acknowledged widely, including recognition from VMware’s Virtual Blocks Blog.

The supply chain attack was identified by Aidan Leon, a researcher at ZeroDay Labs, who discovered that the official RVTools installer attempted to execute a malicious version.dll that is associated with the Bumblebee malware loader. Further investigation revealed discrepancies between the expected file hash on the RVTools site and that of the actual downloaded file; the malicious version was significantly larger and did not match the documented hashes of previous versions.

Notably, after submitting the malicious file to VirusTotal, public reports of the infection surged, and shortly thereafter, the RVTools website went offline. When it returned, the download file size and hash were corrected to align with the clean version.

Bumblebee serves as a malware loader that is typically disseminated through methods such as SEO poisoning, malvertising, and phishing. Following installation, the malware can download and execute further malicious payloads, including Cobalt Strike beacons and ransomware variants. This malware has previously been linked to the Conti ransomware group, known for utilizing it to infiltrate corporate networks. Following the operations of Conti’s closure in 2022, several of its members have continued their activities under new ransomware operations.

Recent reports from cybersecurity firm Arctic Wolf indicate that the compromised RVTools installers were being distributed through malicious typosquatted domains, taking advantage of SEO manipulation or online advertising. These domains closely resemble the legitimate RVTools website, substituting the .com TLD with .org.

Additionally, there have been multiple reports of campaigns utilizing SEO poisoning and malvertising, designed to mislead users into downloading these tainted RVTools installers. Users who may have downloaded software from questionable sources may now be at risk of Bumblebee infections and possibly further payloads.

It is critical for organizations to conduct thorough investigations of their networks if there are indications of infection. Unofficial RVTools installers should not be executed unless the file hash has been verified against legitimate sources.

Inquiries have been made to Dell regarding the supply chain attack, and updates will be provided as more information becomes available.