Sophisticated BundleBot malware disguised as a Google AI chatbot and utility

July 21, 2023THN extensionComputer threats/malware

A new strain of malware known as BundleBot has been operating stealthily under the radar by leveraging .NET single-file distribution techniques, allowing threat actors to acquire sensitive information from compromised hosts.

“BundleBot is abusing the dotnet bundle (single file), standalone format resulting in very little or no static detection,” Check Point said in a report released this week, adding that it is “commonly distributed via Facebook ads and compromised accounts leading to websites masquerading as regular utilities, AI tools, and games.”

Some of these websites aim to mimic Google Bard, the company’s conversational generative AI chatbot, which tricks victims into downloading a fake RAR archive (“Google_AI.rar”) hosted on legitimate cloud storage services such as Dropbox.

The archive file, when unzipped, contains an executable file (“GoogleAI.exe”), which is the .NET single-file standalone application (“GoogleAI.exe”) which, in turn, embeds a DLL file (“GoogleAI.dll”), whose responsibility is to retrieve a password-protected ZIP archive from Google Drive.

The extracted contents of the ZIP file (“ADSNEW-1.0.0.3.zip”) is another .NET single-file standalone application (“RiotClientServices.exe”) that incorporates the BundleBot payload (“RiotClientServices.dll”) and a command and control (C2) packet data serializer (“LirarySharing.dll”).

“The RiotClientServices.dll assembly is a new custom stealer/bot that uses the LirarySharing.dll library to process and serialize packet data that is sent to C2 as part of bot communication,” the Israeli cybersecurity firm said.

The binary artifacts use custom obfuscation and junk code in an effort to resist analysis, and are equipped with capabilities to steal data from web browsers, take screenshots, grab Discord tokens, information from Telegram, and Facebook account details.

Check Point said it also found a second sample of BundleBots that were virtually identical in all respects, save for using HTTPS to exfiltrate information to a remote server in the form of a ZIP archive.

“The method of delivery via Facebook Ads and compromised accounts is something that has been abused for some time by threat actors, yet combining it with one of the disclosed malware’s capabilities (to steal a victim’s Facebook account information) could serve as a complicated self-feeding routine,” the company noted.

The development comes as Malwarebytes uncovered a new campaign that uses sponsored posts and compromised verified accounts impersonating Facebook Ads Manager to trick users into downloading rogue Google Chrome extensions designed to steal Facebook login information.

Users clicking the embedded link are prompted to download a RAR archive file containing an MSI installer file which, in turn, launches a batch script to generate a new Google Chrome window with the malicious extension loaded using the “–load-extension” flag –

launch chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “https://www.facebook.com/business/tools/ads-manager”

“That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from your local computer, rather than from the Chrome Web Store,” explained Jrme Segura, director of threat intelligence at Malwarebytes, noting that it is “entirely focused on Facebook and gathering important information that could allow an attacker to gain access to your accounts.”

The captured data is then sent using the Google Analytics API to bypass content security policies (CSP) to mitigate cross-site scripting (XSS) attacks and data injection.

The threat actors behind the activity are suspected to be of Vietnamese origin, who have shown a keen interest in targeting Facebook business and advertising accounts in recent months. Over 800 fatalities were affected worldwide, including 310 in the United States

“Scammers have a lot of time on their hands and they spend years studying and understanding how to abuse social media and cloud platforms, where it’s a constant arms race to keep the bad guys out,” Segura said. “Remember that there is no such thing as a silver bullet and anything that sounds too good to be true could very well be a scam in disguise.”