Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities

Jul 21, 2023THNCyber Threat / Malware

A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts.

“BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all,” Check Point said in a report published this week, adding it is “commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games.”

Some of these websites aim to mimic Google Bard, the company’s conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive (“Google_AI.rar”) hosted on legitimate cloud storage services such as Dropbox.

The archive file, when unpacked, contains an executable file (“GoogleAI.exe”), which is the .NET single-file, self-contained application (“GoogleAI.exe”) that, in turn, incorporates a DLL file (“GoogleAI.dll”), whose responsibility is to fetch a password-protected ZIP archive from Google Drive.

The extracted content of the ZIP file (“ADSNEW-1.0.0.3.zip”) is another .NET single-file, self-contained application (“RiotClientServices.exe”) that incorporates the BundleBot payload (“RiotClientServices.dll”) and a command-and-control (C2) packet data serializer (“LirarySharing.dll”).

“The assembly RiotClientServices.dll is a custom, new stealer/bot that uses the library LirarySharing.dll to process and serialize the packet data that are being sent to C2 as a part of the bot communication,” the Israeli cybersecurity company said.

The binary artifacts employ custom-made obfuscation and junk code in a bid to resist analysis, and come with capabilities to siphon data from web browsers, capture screenshots, grab Discord tokens, information from Telegram, and Facebook account details.

Check Point said it also detected a second BundleBot sample that’s virtually identical in all aspects barring the use of HTTPS to exfiltrate the information to a remote server in the form of a ZIP archive.

The use of Google Bard lures should come as no surprise, given that the popularity of such AI tools have been capitalized by cybercriminals in recent months to deceive users on platforms like Facebook to unknowingly download a variety of info-stealing malware such as Doenerium.

“The delivering method via Facebook Ads and compromised accounts is something that has been abused by threat actors for a while, still combining it with one of the capabilities of the revealed malware (to steal a victim’s Facebook account information) could serve as a tricky self-feeding routine,” the company noted.

The development comes as Malwarebytes uncovered a new campaign that employs sponsored posts and compromised verified accounts that impersonate Facebook Ads Manager to entice users into downloading rogue Google Chrome extensions that are designed to steal Facebook login information.

Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file that, for its part, launches a batch script to spawn a new Google Chrome window with the malicious extension loaded using the “–load-extension” flag –

start chrome.exe –load-extension=”%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4″ “https://www.facebook.com/business/tools/ads-manager”

“That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from the local computer, rather than the Chrome Web Store,” Jérôme Segura, director of threat intelligence at Malwarebytes, explained, noting it is “entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts.”

The captured data is subsequently sent using the Google Analytics API to get around content security policies (CSPs) put in place to mitigate cross-site scripting (XSS) and data injection attacks.

The threat actors behind the activity are suspected to be of Vietnamese origin, who have, in recent months, exhibited acute interest in targeting Facebook business and advertising accounts. Over 800 victims worldwide have been impacted, with 310 of those located in the U.S.

“Fraudsters have a lot of time on their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm’s race to keep bad actors out,” Segura said. “Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.”