A new malware strain known as BundleBot quietly operate under the radar by taking advantage of .NET single-file deployment techniqueallows threat actors to capture sensitive information from compromised hosts.
“BundleBot abuses dotnet bundle (single file), standalone format resulting in very low or no static detection,” Check Point said in a report published this week, adding it “is typically distributed via Facebook Ads and compromised accounts leading to websites posing as regular program utilities, AI tools, and games.”
Some of these websites aim to impersonate Google Bard, the enterprise conversational generative artificial intelligence chatbot, inducing victims to download fake RAR archives (“Google_AI.rar”) hosted on legitimate cloud storage services such as Dropbox.
The archive file, when unpacked, contains an executable file (“GoogleAI.exe”), which is a single .NET file, a standalone application (“GoogleAI.exe”) which, in turn, incorporates a DLL file (“GoogleAI.dll”), which is responsible for retrieving the password protected ZIP archive from Google Drive.
The content extracted from the ZIP file (“ADSNEW-184.108.40.206.zip”) is another single .NET file, a standalone application (“RiotClientServices.exe”) that combines the BundleBot payload (“RiotClientServices.dll”) and the command-and-control package (C2) data serializer (“LirarySharing.dll”).
“The RiotClientServices.dll assembly is a new custom stealer/bot that uses the LirarySharing.dll library to process and serialize data packets sent to C2 as part of bot communications,” the Israeli cybersecurity firm said.
Binary artifacts use specially crafted disguises and junk code in an attempt to resist analysis, and come with the ability to siphon data from web browsers, capture screenshots, retrieve Discord tokens, information from Telegram, and Facebook account details.
Check Point says they also detected a second BundleBot sample that was nearly identical in all aspects except for using HTTPS to extract information to a remote server in the form of a ZIP archive.
“The delivery method via Facebook Ads and compromised accounts is something that threat actors have abused for a while, still combining it with one of the malware’s revealed abilities (to steal victim’s Facebook account information) can function as an elaborate self-feeding routine,” the company noted.
Development comes as Malwarebytes uncovered a new campaign that uses sponsored posts and compromised verified accounts masquerading as Facebook Ads Manager to induce users to download fake Google Chrome extensions designed to steal Facebook login information.
Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file which, for its part, launches a batch script to spawn a new Google Chrome window with malicious extensions loaded using the “–load-extension” flag –
start chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “https://www.facebook.com/business/tools/ads-manager”
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“That particular extension is cleverly disguised as Google Translate and is considered ‘Free’ because it is loaded from a local machine, not from the Chrome Web Store,” Jérôme Segura, director of threat intelligence at Malwarebytes, explained, noting that it “focuses entirely on Facebook and captures critical information that could allow attackers into accounts.”
The captured data is then sent using the Google Analytics API to circumvent the content security policy (CSP) to mitigate cross-site scripting (XSS) and data injection attacks.
The threat actor behind the activity is thought to be from Vietnam, which in recent months has shown a keen interest in targeting Facebook business accounts and ads. More than 800 victims worldwide have been affected, with 310 of them located in the US
“Fraudsters have a lot of free time and spend years studying and understanding how to abuse social media and cloud platforms, where there is always an arms race to keep bad actors out,” Segura said. “Remember that there is no silver bullet and anything that sounds too good to be true may be a scam in disguise.”