uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

BundleBot Malware Disguised as a Google AI Chatbot and Utilities

A new malware, BundleBot, uses .NET single-file deployment techniques to stealthily operate under the radar, allowing threat actors to capture sensitive information from infected hosts.

"BundleBot abuses dotnet bundles (a single file), a self-contained format that results in very low or no static detection," Check Point said in a report this week, adding that it "is often distributed through Facebook ads and compromised accounts, resulting in websites masquerading as common software tools, artificial intelligence, and games."

Some of these sites are designed to mimic Google Bard, the company's conversation-generating AI chatbot, tricking victims into downloading fake RAR archives (“Google_AI.rar”) hosted on legitimate cloud storage services like Dropbox. The extracted archive contains an executable file ("GoogleAI.exe"), which is a standalone .NET single file application ("GoogleAI.exe"), which in turn contains a DLL file ("GoogleAI.dll") responsible for retrieving password-protected ZIP archives from Google Drive.

The extracted contents of the ZIP file ("ADSNEW-1.0.0.3.zip") is another standalone .NET single file application ("RiotClientServices.exe") that contains the BundleBot payload ("RiotClientServices.dll") and the Command and Control (C2) suite ("Lidll.seriali" dataset). "The RiotClientServices.dll assembly is a custom new stealer/bot that uses the LirarySharing.dll library to process and serialize packet data sent to the C2 as part of the bot's communications," the Israeli cybersecurity firm said.

These binaries use custom obfuscated and spam code to resist analysis and have the ability to steal data from web browsers, capture screenshots, obtain Discord tokens, messages from Telegram and Facebook account information. Check Point said it also discovered another BundleBot sample that was nearly identical in every way, except that it used HTTPS to exfiltrate information contained in a ZIP archive to a remote server.

"The delivery method using Facebook ads and hacked accounts has been abused by threat actors for some time, but combining it with some of the capabilities of open malware (to steal victims' Facebook account information) can become a complex self-feeding routine," the company said. Google AI chatbots and utilities
Meanwhile, Malwarebytes has discovered a new campaign that uses sponsored posts and compromised verified accounts to impersonate Facebook's ad manager, tricking users into downloading a rogue Google Chrome extension designed to steal Facebook logins.

Users who click the embedded link are prompted to download a RAR archive containing an MSI installer that runs a batch script that creates a new Google Chrome window that loads the malicious extension using the "--load-extension" flag.

start chrome.exe --load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "https://www.facebook.com/business/tools/ads-manager"
Jerome Segura, director of threat intelligence at Malwarebytes, explained: "The custom extension is cleverly disguised as Google Translate and is considered 'unpackaged' because it is loaded from the local computer and not from the Chrome Web Store." He noted that the extension "focuses only on Facebook and captures important information that could allow a hacker to log into the account."

The collected data is then sent through the Google Analytics API to bypass the Content Security Policy (CSP), mitigating cross-site scripting (XSS) and data injection attacks. The perpetrators of the campaign are believed to be of Vietnamese origin and have shown a strong interest in Facebook business and advertising accounts in recent months. More than 800 victims were affected worldwide, 310 of which were in the United States.

"Fraudsters have spent a lot of time, years, researching and understanding how to abuse social media and cloud platforms where there is an arms race to keep the bad actors out," Segura said. "Remember there is no silver bullet and anything that sounds too good to be true is probably a scam in disguise."