A novel malware variant termed BundleBot has been quietly operating unseen, leveraging .NET single-file deployment strategies, which allow cyber criminals to harvest crucial data from infected systems.
“BundleBot is exploiting the dotnet bundle (single-file), self-contained format resulting in very minimal or entirely zero static detection,” according to a recent report by Check Point, additionally stating that it is “frequently disseminated through Facebook Ads and compromised accounts which direct to sites posing as regular software utilities, AI resources, and gaming platforms.”
Several of these websites are designed to replicate Google Bard, the corporation’s conversational AI chatbot, luring victims to download a counterfeit RAR file (“Google_AI.rar”) hosted on reputable cloud storage platforms like Dropbox.
When extracted, the archive file encompasses an executable file (“GoogleAI.exe”), which is the .NET single-file, self-contained application (“GoogleAI.exe”) that subsequently integrates a DLL file (“GoogleAI.dll”), tasked with retrieving a password-protected ZIP file from Google Drive.
The unpacked content of the ZIP file (“ADSNEW-18.104.22.168.zip”) is another .NET single-file, self-contained application (“RiotClientServices.exe”) that embeds the BundleBot payload (“RiotClientServices.dll”) and a command-and-control (C2) packet data serializer (“LirarySharing.dll”).
“The component RiotClientServices.dll is a custom, novel stealer/bot that utilizes the library LirarySharing.dll to process and serialize the packet data that are being transmitted to C2 as part of the bot communication,” the Israeli cybersecurity firm mentioned.
The binary artifacts use custom obfuscation and junk code in an attempt to resist analysis and are equipped with abilities to extract data from web browsers, capture screen images, seize Discord tokens, and gather information from Telegram and Facebook accounts.
Check Point also identified a second BundleBot variant that is virtually identical in all elements except the implementation of HTTPS for data exfiltration to a remote server in the form of a ZIP archive.
“The distribution method via Facebook Ads and compromised accounts has been exploited by cybercriminals for some time, yet coupling it with one of the capabilities of the discovered malware (to pilfer a victim’s Facebook account details) could act as a deceptive self-sustaining cycle,” the firm observed.
Google AI Chatbot and Programs The revelation comes in the wake of a new campaign discovered by Malwarebytes that utilizes sponsored posts and hijacked verified accounts impersonating Facebook Ads Manager to bait users into downloading rogue Google Chrome extensions designed to pilfer Facebook login data.
Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file which, in turn, triggers a batch script to open a new Google Chrome window with the malicious extension installed using the “–load-extension” flag –
start chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “This custom extension is smartly camouflaged as Google Translate and is classified ‘Unpacked’ since it was loaded from the local machine, rather than the Chrome Web Store,” Jérôme Segura, director of threat intelligence at Malwarebytes, elucidated, pointing out that it is “entirely concentrated on Facebook and stealing valuable pieces of information that could enable an attacker to gain access to accounts.”