Sophisticated BundleBot Malware: A Stealthy Threat Disguised as Google AI Chatbot and Utilities

TL;DR:

  • BundleBot, a sophisticated malware strain, employs .NET single-file deployment techniques to evade detection.
  • It spreads through deceptive websites posing as regular utilities, AI tools, or games, often via Facebook Ads and compromised accounts.
  • The malware mimics Google Bard, enticing victims to download a bogus RAR archive named “Google_AI.rar.”
  • Unpacking the archive reveals an executable file (“GoogleAI.exe”) containing the .NET single-file application, which fetches a password-protected ZIP archive from Google Drive.
  • Inside the ZIP file is another .NET application (“RiotClientServices.exe”), housing the BundleBot payload and a command-and-control data serializer (“LirarySharing.dll”).
  • BundleBot employs custom obfuscation and data theft capabilities, targeting web browsers, Discord, Telegram, and Facebook accounts.
  • Malwarebytes uncovered a related campaign using sponsored posts and compromised accounts to distribute rogue Chrome extensions targeting Facebook login information.

Main AI News:

A concerning new malware strain, known as BundleBot, has recently emerged, flying under the radar with its stealthy operations. This malicious software takes advantage of .NET single-file deployment techniques, allowing threat actors to exploit compromised hosts and harvest sensitive information.

Check Point, a prominent cybersecurity firm, revealed in a recent report that BundleBot relies on the dotnet bundle (single-file) method, making it incredibly difficult to detect through static analysis. To make matters worse, the malware is often distributed via Facebook Ads and compromised accounts, cunningly masquerading as legitimate program utilities, AI tools, or even games.

One of the deceptive websites created by these cybercriminals imitates the appearance of Google Bard, the renowned conversational generative artificial intelligence chatbot developed by Google. Unsuspecting victims are lured into downloading a seemingly innocent RAR archive named “Google_AI.rar” from cloud storage services like Dropbox.

However, unbeknownst to the victims, once they unpack the archive, it contains an executable file labeled “GoogleAI.exe.” This .NET single-file, self-contained application, in turn, houses a DLL file named “GoogleAI.dll.” The primary function of this DLL is to fetch a password-protected ZIP archive from Google Drive.

Within the ZIP file, referred to as “ADSNEW-1.0.0.3.zip,” lies another .NET single-file, self-contained application dubbed “RiotClientServices.exe.” This application incorporates the insidious BundleBot payload, represented by “RiotClientServices.dll,” along with a command-and-control (C2) packet data serializer, known as “LirarySharing.dll.”

Interestingly, the malicious “RiotClientServices.dll” serves as a custom and novel stealer/bot that relies on the “LirarySharing.dll” library to process and serialize packet data, facilitating communication with the C2 server. The entire process is crafted with custom-made obfuscation and junk code, making it challenging to analyze and counteract.

Once active, BundleBot exhibits a range of capabilities that allow it to steal data from web browsers, capture screenshots, harvest Discord tokens, collect information from Telegram, and even acquire Facebook account details, among other malicious actions.

In a surprising twist, Check Point identified a second sample of BundleBot that bears a striking resemblance to the first, with the only difference being the use of HTTPS to transmit exfiltrated information to a remote server in the form of a ZIP archive.

The choice of Google Bard as a decoy is unsurprising, considering cybercriminals’ recent trend of exploiting the popularity of AI tools on platforms like Facebook to distribute various information-stealing malware, including infamous ones like Doenerium.

The delivery method through Facebook Ads and compromised accounts has been an ongoing tactic used by threat actors, but when coupled with the ability to steal a victim’s Facebook account information, it becomes an even more insidious and self-sustaining operation.

As cybersecurity experts continue to uncover and battle these threats, the importance of vigilance and skepticism cannot be overstated. Malwarebytes recently revealed a campaign employing sponsored posts and compromised verified accounts that impersonate Facebook Ads Manager to lure users into downloading rogue Google Chrome extensions designed to steal Facebook login information.

The campaign tricks users into downloading an MSI installer file hidden within a RAR archive. Once executed, the installer launches a batch script that loads a custom extension masquerading as “Google Translate,” but in reality, it’s a malicious tool focused solely on capturing critical information for potential attackers.

The captured data is cleverly sent using the Google Analytics API, bypassing content security policies (CSPs) designed to mitigate cross-site scripting (XSS) and data injection attacks.

These recent developments point to suspected threat actors of Vietnamese origin, demonstrating a keen interest in targeting Facebook business and advertising accounts. With over 800 victims worldwide, including 310 in the United States, it is evident that cybercriminals are relentless in their pursuit of exploiting social media and cloud platforms.

Conclusion:

The emergence of BundleBot poses a significant threat to the cybersecurity landscape. Its ability to evade detection through .NET single-file deployment and its deceptive distribution method via legitimate-looking websites and social media platforms make it a formidable challenge for businesses and users. The use of popular AI tools as a disguise further highlights the creativity and determination of cybercriminals to exploit unsuspecting victims. For the market, this means an increased need for advanced threat detection and security measures to protect sensitive information and prevent data breaches. Businesses and individuals should remain vigilant and adopt robust cybersecurity practices to safeguard against such stealthy and damaging malware.

Source