A new malware strain known as bundle bot I have been working secretly so as not to be seen by others. .NET Single File Deployment Techniquesallowing an attacker to obtain sensitive information from a compromised host.
“BundleBot exploits the self-contained format of dotnet bundles (single-file), resulting in very low or no static detection.” Check Point Said A report released this week added that the virus was “commonly distributed via Facebook ads and compromised accounts, leading to websites disguised as regular program utilities, AI tools and games.”
Some of these websites aim to mimic the company’s conversational generative artificial intelligence chatbot, Google Bard, by luring victims into downloading a fake RAR archive (“Google_AI.rar”) hosted on legitimate cloud storage services such as Dropbox.
When you extract the archive file, it contains an executable file (“GoogleAI.exe”). It is a .NET single-file self-contained application (“GoogleAI.exe”), which also includes a DLL file (“GoogleAI.dll”). The role of this file is to retrieve password-protected ZIP archives from Google Drive.
The extracted contents of the ZIP file (“ADSNEW-1.0.0.3.zip”) is another .NET single-file self-contained application (“RiotClientServices.exe”) that incorporates the BundleBot payload (“RiotClientServices.dll”) and a command and control (C2) packet data serializer (“LirarySharing.dll”).
“The assembly RiotClientServices.dll is a custom new stealer/bot that uses the library LirarySharing.dll to process and serialize packet data sent to the C2 as part of the bot communication,” said the Israeli cybersecurity firm.
The binary artifact employs custom obfuscation and junk code to prevent analysis, and has the ability to siphon data from web browsers, capture screenshots, retrieve Discord tokens, information from Telegram, and Facebook account details.
Check Point said it also detected a second BundleBot sample that was virtually identical in all respects, except for the use of HTTPS to exfiltrate the information in the form of a ZIP archive to a remote server.
“Facebook ads and delivery methods via compromised accounts have been exploited by threat actors for some time, but combined with one of the revealed malware’s features (stealing victims’ Facebook account information), they can serve as a tricky self-feeding routine,” the company noted.
Developed as Malwarebytes not covered The new campaign uses sponsored posts and compromised authenticated accounts impersonating Facebook Ads Manager to trick users into downloading a malicious Google Chrome extension designed to steal their Facebook login credentials.
Users clicking on the embedded link will be prompted to download a RAR archive file containing the MSI installer file. This file launches a batch script to launch a new Google Chrome window with the malicious extension loaded using the “–load-extension” flag.
start chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “https://www.facebook.com/business/tools/ads-manager”
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
“The custom extension is cleverly disguised as Google Translate and is considered ‘unzipped’ because it was loaded from the local computer instead of the Chrome Web Store,” said Jerome Segura, Director of Threat Intelligence at Malwarebytes.
Captured data is sent using the Google Analytics API (seeCSP) to mitigate cross-site scripting (XSS) and data injection attacks.
The attackers behind this activity are suspected to be of Vietnamese descent and have shown strong interest in targeting Facebook business and advertising accounts in recent months. More than 800 victims are affected worldwide, 310 of them in the United States.
“Scammers have plenty of time and have spent years studying and understanding how to exploit social media and cloud platforms, where there is a constant arms race to keep the bad guys out,” Segura said. “Remember that there is no silver bullet, and a story that sounds too good is very likely a fraud.”
