A new malware strain known as BundleBot has stealthily operated under the radar by exploiting .NET single-file deployment techniquesthat enable threat actors to capture sensitive information from compromised hosts.
“BundleBot abuses the dotnet bundle (single-file), self-contained format resulting in very low or no static detection,” Check Point said in a report published this week, adding that it is “commonly distributed via Facebook ads and compromised accounts, leading to websites masquerading as common software tools, AI tools and games.”
Some of these sites aim to mimic Google Bard, the company’s conversational generative artificial intelligence chatbot that lures victims into downloading a fake RAR archive (“Google_AI.rar”) hosted on legitimate cloud storage services such as Dropbox.
The archive file, when extracted, contains an executable file (“GoogleAI.exe”), which is a .NET single file, standalone application (“GoogleAI.exe”), which in turn incorporates a DLL file (“GoogleAI.dll”) whose responsibility is to retrieve a password-protected ZIP archive from Google Drive.
The extracted contents of the ZIP file (“ADSNEW-220.127.116.11.zip”) is another .NET single file, standalone application (“RiotClientServices.exe”) that incorporates the BundleBot payload (“RiotClientServices.dll”) and a command-and-control (C2) bundle data serializer (“LirarySharing.dll”).
“The RiotClientServices.dll assembly is a custom, novel stealer/bot that uses the LirarySharing.dll library to process and serialize the packet data sent to C2 as part of bot communication,” the Israeli cybersecurity firm said.
The binary artifacts employ custom obfuscation and spam code in an attempt to resist analysis, and come with capabilities to retrieve data from web browsers, capture screenshots, grab Discord tokens, information from Telegram, and Facebook account information.
Check Point said it also discovered another BundleBot sample that is virtually identical in every aspect except for the use of HTTPS to exfiltrate the information to a remote server in the form of a ZIP archive.
The use of Google Bard lures should come as no surprise given the popularity of such AI tools has been capitalized on by cybercriminals in recent months to trick users on platforms like Facebook into unwittingly downloading a variety of information-stealing malware such as Doenerium.
“The delivery method via Facebook ads and compromised accounts is something that has been abused by threat actors for a while, but still combining it with one of the capabilities of the disclosed malware (to steal a victim’s Facebook account information) can serve as a difficult self-feeding routine,” the company noted.
The development comes as Malwarebytes uncovered a new campaign that uses sponsored posts and compromised verified accounts impersonating Facebook Ads Manager to lure users into downloading rogue Google Chrome extensions designed to steal Facebook login credentials.
Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file, which in turn launches a batch script to create a new Google Chrome window with the malicious extension loaded using the “–load-extension” flag –
start chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets behind proactive security with SaaS Security Posture Management.
“The custom extension is cleverly disguised as Google Translate and is considered ‘Unwrapped’ because it was loaded from the local computer, rather than the Chrome Web Store,” explained Jérôme Segura, director of threat intelligence at Malwarebytes, noting that it is “completely focused on Facebook and grabs key pieces of information that might allow an attacker.”
The collected data is subsequently sent using the Google Analytics API to circumvent content security policies (CSPs) put in place to mitigate cross-site scripting (XSS) and data injection attacks.
The threat actors behind the activity are suspected to be of Vietnamese origin, who in recent months have shown an acute interest in targeting Facebook business and advertising accounts. Over 800 victims worldwide have been affected, of which 310 are located in the United States
“Fraudsters have a lot of time on their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it’s a constant arms race to keep bad actors out,” Segura said. “Remember there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.”