A new malware strain known as bundle bot leverages .NET’s single-file deployment technique to operate under the radar, allowing attackers to retrieve sensitive information from a compromised host.
In a report released this week, Check Point said, “BundleBot exploits self-contained dotnet bundles (single files) resulting in very low or no static detection. “BundleBot is commonly distributed via Facebook ads and advertisements,” it added. Compromised accounts lead to websites disguised as regular program utilities, AI tools, and games. “
Some of these websites aim to mimic the company’s conversational generative artificial intelligence chatbot, Google Bard, and contain fake RAR archives hosted on legitimate cloud storage services such as Dropbox. Google_AI.rar”) to trick the victim into downloading it.
When you extract the archive file, it contains an executable file (“GoogleAI.exe”). It is a .NET single-file self-contained application (“GoogleAI.exe”), which contains a DLL file (“GoogleAI.dll”), whose role is to store a password-protected ZIP archive of the Google to get it from the drive.
The extracted contents of the ZIP file (“ADSNEW-1.0.0.3.zip”) is another .NET single-file self-contained application (“RiotClientServices.exe”) that embeds the BundleBot payload (“RiotClientServices.dll”). ) is. Command and Control (C2) Packet Data Serializer (“LirarySharing.dll”).
“The assembly RiotClientServices.dll is a custom new stealer/bot that uses the library LirarySharing.dll to process and serialize packet data sent to the C2 as part of the bot communication,” Israeli cybersecurity firm said.
The binary artifact employs custom obfuscation and junk code to prevent analysis, siphoning data from web browsers, capturing screenshots, retrieving Discord tokens, information from Telegram, and Facebook account details. It has the function to
Check Point said it also detected a second BundleBot sample that was virtually identical in all respects, except for the use of HTTPS to exfiltrate the information in the form of a ZIP archive to a remote server.
“Facebook ads and delivery methods through compromised accounts have been exploited by attackers for some time, but one of the revealed malware’s capabilities (stealing victims’ Facebook account information) and Combined, it can be a nasty attack.”-Feeding routine,” the company noted.
The development uses sponsored posts and compromised authenticated accounts to spoof Facebook Ads Manager and trick users into downloading a rogue Google Chrome extension aimed at stealing Facebook login credentials. The campaign was discovered by Malwarebytes.
Users clicking on the embedded link will be prompted to download a RAR archive file containing the MSI installer file. This file launches a batch script to launch a new Google Chrome window with the malicious extension loaded using “-load-extension”. ” national flag –
start chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “https://www.facebook.com/business/tools/ads-manager”
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
“The custom extension is cleverly disguised as Google Translate and is considered ‘unzipped’ because it was loaded from the local computer instead of the Chrome Web Store,” said Jerome Segura, director of threat intelligence at Malwarebytes. and pointed out that it was “perfectly”. Focusing on Facebook, we obtained important information that could allow the attacker to log into the account. “
The captured data is then sent using the Google Analytics API to circumvent Content Security Policy (CSP) and mitigate cross-site scripting (XSS) and data injection attacks.
The attackers behind this activity are suspected to be of Vietnamese descent and have shown strong interest in targeting Facebook business and advertising accounts in recent months.More than 800 victims worldwide, 310 of them in the United States
“Scammers have plenty of time and have spent years researching and understanding how to exploit social media and cloud platforms, where there is a constant arms race to keep the bad guys out,” Segura said. It is being done,” he said. “Remember that there is no silver bullet, and a story that sounds too good is very likely a fraud.”
